End-of-Life (EoL)
PAN-OS 7.1.11 Addressed Issues
PAN-OS® 7.1.11 addressed issues
The following table lists the issues that are addressed
in the PAN-OS® 7.1.11 release. For new features, associated software
versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information.
Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues
and any newly addressed issues in these release notes are identified
using new issue ID numbers that include a product-specific prefix.
Issues addressed in earlier releases and any associated known issue
descriptions continue to use their original issue ID.
Issue ID | Description |
---|---|
WF500-4291 | Fixed an issue where the WF-500 appliance returned
false positives for known, benign Portable Executable (PE) files. |
PAN-79436 | Fixed an issue where PA-7000 Series firewalls
did not apply changes to the syslog server profile configuration
until you restarted the syslog-ng process. |
PAN-78501 | Fixed an issue where users experienced slow
network connectivity due to CPU utilization spikes in the firewall
Network Processing Cards (NPCs) when the URL cache exceeded one
million entries. |
PAN-77702 | Fixed an issue on Panorama in NSX deployments
where dynamic address updates took several minutes to complete. |
PAN-77339 | SafeNet Client 6.2.2 did not support the necessary
MAC algorithm (HMAC-SHA1) to work with Palo Alto Networks firewalls
running in FIPS-CC mode. |
PAN-77294 | A security-related fix was made to address
a vulnerability that allowed cross-site scripting (XSS) attacks
on the GlobalProtect external interface because PAN-OS did not properly
validate specific request parameters (CVE-2017-9467). |
PAN-77173 | A security-related fix was made to prevent
remote code execution within the Linux kernel that the firewall
management plane uses (CVE-2016-10229). |
PAN-77127 | Fixed an issue where the firewall reduced the
range of local and remote IKEv2 traffic selectors in a way that
disrupted traffic in a VPN tunnel that a Cisco Adaptive Security
Appliance (ASA) initiated. |
PAN-77053 | Fixed an issue on PA-7000 Series firewalls
where the Egress Interface in a PBF policy rule (Policies > Policy
Based Forwarding > < rule > > Forwarding) was reset to a null
value, which brought down all the interfaces in the slot associated
with the Egress Interface and caused an HA failover. |
PAN-76964 | Fixed an issue where interfaces became unavailable
due to a packet buffer overflow condition that occurred after the
firewall tried to close the connection to a client that ignored
the URL Filtering block page. |
PAN-76746 | Fixed an issue on the PA-7080 firewall where
authentication traffic from a wireless controller to a RADIUS server
failed due to buffer depletion on the firewall. |
PAN-76702 | Fixed an issue where several dataplane processes
stopped responding when the firewall processed VPN traffic with
IP packet chains, which were typically triggered by IP fragmentation
or SSL decryption operations. |
PAN-76650 | Fixed an issue where renaming a shared object
on Panorama that you previously pushed to firewalls caused a commit
failure if the firewalls referenced that object in local policies. |
PAN-76644 | Fixed an issue where the firewall could not
decrypt traffic for SSL inbound inspection when the private key
size was 3,072 or 4,096 bits and the firewall stored the key on
a hardware security module (HSM). |
PAN-76455 | A security-related fix was made to address
a persistent cross-site scripting (XSS) attack on the management
interface of the firewall web interface (CVE-2017-9459). |
PAN-76158 | Fixed an issue where the firewall allowed Psiphon
application sessions to continue without applying policy rules to
them after the firewall ran out of resources (such as while processing
heavy traffic). With this fix, the firewall drops Psiphon sessions
after running out of resources. |
PAN-76144 | Fixed an issue where throughput was reduced
on PA-5000 Series firewalls that used a single UDP session on one
dataplane to process high rates of tunneled traffic. With this fix,
you can use the set session filter-ip-proc-cpu CLI command to use
multiple dataplanes to process traffic for up to 32 destination
server IP addresses. This setting persists after reboots and upgrades. |
PAN-76058 | Fixed an issue where Panorama failed to migrate
URL categories from BrightCloud to PAN-DB in policy pre-rules and
post-rules; this fix requires content release version 718 or a later
version. |
PAN-75977 | Fixed an issue where users failed to authenticate
through a Ucopia LDAP server. |
PAN-75908 | Fixed an issue where multicast packets with
stale session IDs caused the firewall dataplane to restart. |
PAN-75769 | Fixed an issue where the firewall enabled new
applications associated with Applications updates received from
Panorama even when you chose to Disable new apps in content update
(Panorama > Device Deployment > Dynamic Updates). |
PAN-75721 | Fixed an issue where you could not set the
authentication profile Type to None (Device > Authentication Profile)
on a firewall in FIPS mode. |
PAN-75580 | Fixed an issue where a PAN-OS XML API query
to fetch all dynamic address groups failed with an Opening and ending
tag mismatch error due to a command buffer limitation. |
PAN-75215 | Fixed an issue where PA-5000 Series firewalls
kept sessions active for an hour instead of discarding them after
90 seconds as expected when the sessions matched a policy rule that
was set to deny those sessions or when the sessions matched an allow
rule that triggered a block page. |
PAN-75119 | Fixed an issue where IP Address Exemptions
in Anti-Spyware profiles (Objects > Security Profiles > Anti-Spyware
Profile) did not work for the following threats: Threat ID 14978,
Threat ID 14984, and Raven. |
PAN-75029 | Fixed an issue where the PA-5060 firewall randomly
dropped packets and displayed the reason in Traffic logs as resources
unavailable. |
PAN-74938 | Fixed an issue on PA-3000 Series firewalls
where SSL sessions failed due to memory depletion in the proxy memory
pool; Traffic logs displayed the reason decrypt-error. |
PAN-74886 | Fixed an issue where Panorama failed to push
a shared address object to firewalls when the object was part of
a dynamic address group that used a tag. |
PAN-74877 | Fixed an issue where Panorama took longer than
expected to push configurations from multiple device groups to firewalls. |
PAN-74865 | Fixed an issue where Panorama could not push
address objects to managed firewalls when zones specified the objects
in the User Identification ACL include or exclude lists (Network
> Zones) and you configured Panorama to not Share Unused Address
and Service Objects with Devices (Panorama > Setup > Management
> Panorama Settings). |
PAN-74652 | Fixed an issue where, after a firewall successfully
installed a content update received from Panorama, Panorama displayed
a failure message for that update when the associated job ID on
the firewall was higher than 65536. |
PAN-74639 | Fixed an issue where the root partition on
the firewall was low on disk space (requiring you to run the debug
dataplane packet-diag clear log log CLI command to free disk space)
because the pan_task process generated logs for H.225 sessions. |
PAN-74632 | Fixed an issue where the firewall did not clear
IP address-to-username mappings or username-to-group mappings after
reaching the maximum supported number of user groups, which caused
commit failures with the following errors: user-id is not registerd
and ldmgr was reset. Commit is required to reinitialize User-ID. |
PAN-74613 | Fixed an issue where the show running url-cache
statistics CLI command did not display enough information to diagnose
issues related to URL category resolution. With this fix, the error
messages indicate what failed and the exact point of failure. |
PAN-74579 | Fixed an issue where the debug dataplane internal
pdt oct show-all CLI command restarted the firewall dataplane. |
PAN-74412 | Fixed an issue where, in Decryption policy
rules with an Action set to No Decrypt, you could not use the web
interface to set the decryption Type for matching traffic. |
PAN-74334 | Fixed an issue on Panorama where the replace
device CLI command did not replace the serial numbers of firewalls
that policy rules referenced as targets. |
PAN-74293 | Fixed an issue where the firewall dropped sessions
after only 30 seconds of idle traffic instead of after the session
timeout associated with the application. |
PAN-74139 | Fixed an issue on the PA-500 firewall where
insufficient memory allocation caused SSL decryption errors that
resulted in SSL session failures, and Traffic logs displayed the
Session End Reason as decrypt-error or decrypt-cert-validation. |
PAN-73995 | Fixed an issue where firewall management interfaces
that were configured through DHCP released or renewed every time
you pushed configurations from Panorama instead of releasing or
renewing when the DHCP leases expired. |
PAN-73993 | Fixed an issue where App-ID signature matching
did not work on the firewall, which caused it to misidentify applications. |
PAN-73710 | Fixed an issue where the firewall did not commit
changes to the NTP servers configuration (Device > Setup > Services)
when the firewall connected to the servers through a service route
and the management (MGT) interface was down. |
PAN-73707 | Fixed an issue where you could not generate
a SCEP certificate if the SCEP Challenge (password) had a semicolon
(Device > Certificate Management > SCEP). |
PAN-73556 | Fixed an issue where the firewall did not delete
multicast forwarding information base (FIB) entries for multicast
groups that stopped receiving traffic. |
PAN-73381 | Fixed an issue on firewalls with multiple virtual
systems where end users could not authenticate to a GlobalProtect
portal or gateway that specified an authentication profile for which
the Allow List referenced user groups instead of usernames. |
PAN-73056 | Fixed an issue where GlobalProtect prompted
end users for a certificate from gp.paloaltonetworks.com because
the default landing page for the GlobalProtect portal referenced
an image at gp.paloaltonetworks.com. |
PAN-73053 | Fixed an issue where incremental updates failed
for registered IP addresses if the firewall retrieved the updates
through VM information sources (Device > VM Information Sources). |
PAN-72946 | Fixed an issue where HA firewalls displayed
as out of sync if an SSL/TLS Service Profile without a certificate
was assigned to the management (MGT) interface (Device > Setup >
Management). With this fix, PAN-OS unassigns the SSL/TLS Service
Profile if it doesn't have a certificate. |
PAN-72894 | Fixed an issue where Panorama failed to display
HA firewalls (Panorama > Managed Devices) after the configd process
stopped responding. |
PAN-72863 | Fixed an issue where the User-ID agent (PAN-OS
integrated or Windows-based) stopped responding because the firewall
sent numerous queries for the IP address-to-username mappings of
unknown users. With this fix, the firewall no longer queries User-ID
agents for unknown users unless you run the debug user-id query-unknown-ip
yes CLI command on the firewall (you must re-run this command whenever
the firewall reboots). Palo Alto Networks highly recommends upgrading
your Windows-based User-ID agents to version 7.0.8 or a later version
to avoid the WINAGENT-53 issue associated with this change in default behavior. |
PAN-72753 | Fixed an issue where you could not configure
the 0.0.0.0/1 subnet as a Proxy ID for IPSec VPN tunnels. |
PAN-72726 | Fixed an issue where the firewall did not mark
BFD packets with appropriate differentiated services code point
(DSCP) values. |
PAN-72342 | Fixed an issue where end users ignored the
Duo V2 authentication prompt until it timed out but still authenticated
successfully to a GlobalProtect portal configured for two-factor
authentication. |
PAN-72192 | Fixed an issue where, just after rebooting,
a PA-7000 Series firewall failed to store logs locally on the Log
Processing Card (LPC). |
PAN-71950 | Fixed an issue on firewalls in FIPS mode where
the all_task process stopped responding when users accessed a web
page that matched a policy rule with a URL Filtering profile in
which the Site Access was set to continue or override for the category
of that web page (Objects > Security Profiles > URL Filtering >
< URL-filtering-profile > > Categories). |
PAN-71922 | Fixed an issue where the firewall did not generate
Threat logs for classified DoS protection profiles that had an Action
set to SYN Cookies (Objects > Security Profiles > DoS Protection
> Flood Protection > SYN Flood). |
PAN-71535 | Fixed an issue on Panorama where Panorama >
Device Deployment > Software stopped displaying software images
for a release after you performed a manual Upload for a software
image of that release. |
PAN-70119 | Fixed an issue where the firewall mapped users
to the Kerberos Realm defined in authentication profiles (Device
> Authentication Profiles) instead of extracting the realm from
Kerberos tickets. |
PAN-69761 | Fixed an issue where the firewall allowed SSL
sessions with unsupported ciphers (DHE or ECDHE) without decrypting
the sessions even if they matched a Decryption policy rule with
an Action set to Decrypt, a Type set to SSL Inbound Inspection,
and a Decryption Profile that was configured to block unsupported
ciphers (Policies > Decryption > < decryption-rule > > Options). |
PAN-69367 | Fixed an issue where the firewall incorrectly
generated packet diagnostic logs and captured packets for sessions
that were not part of a packet filter (Monitor > Packet Capture). |
PAN-68974 | Fixed an issue on PA-3000 Series firewalls
where you could not configure a QoS Profile to have a maximum egress
bandwidth (Egress Max) higher than 1Gbps for an aggregate group
interface (Network > Network Profiles > QoS Profile). |
PAN-68654 | Fixed an issue where the firewall did not populate
User-ID mappings based on the defined Syslog Parse profiles (Device
> User Identification > User Mapping > Palo Alto Networks User-ID
Agent Setup > Syslog Filters). |
PAN-68543 | A security-related fix was made to address
OpenSSL vulnerabilities (CVE-2016-8610). |
PAN-67618 | Fixed an issue where the Panorama XML API request
to show all dynamic address groups responded with improperly formatted
XML. |
PAN-67544 | Fixed an issue where, when a multicast forwarding
information base (FIB) timed out, the process for packet processing
(flow_ctrl) stopped responding, which intermittently caused the
firewall dataplane to restart. |
PAN-66206 | Fixed an issue where PA-5000 Series firewalls
did not correctly install DNS sessions that originated from an interface
configured for a DNS Proxy (Network > DNS Proxy) and that were destined
for a DNS server. |
PAN-64928 | Fixed an issue where PA-3000 Series firewalls
did not come up after the first reboot following an upgrade; a second
reboot was required. |
PAN-64404 | Fixed an issue where the commit validation
process did not identify errors in content update files or in content-related
configurations such as Data Pattern objects or custom threat signatures. |
PAN-63925 | Fixed an issue where a firewall did not generate
a log when a content update failed or was interrupted. |
PAN-63905 | Fixed an issue where RTP sessions that were
created from predict sessions went from an active state to a discard
state after you installed a content update or committed configuration
changes on the firewall. |
PAN-63205 | Fixed an issue on VM-Series firewalls where
commit operations failed after you configured HA with the HA2 and
HA3 interfaces. |
PAN-62855 | Fixed an issue where Panorama did not display
the logs for Correlation events from PA-7000 Series firewalls. |
PAN-62590 | Fixed an issue on Panorama where the show log
threat pcap-dump equal yes CLI command produced an invalid PCAP
file. |
PAN-61834 | Fixed an issue where the firewall captured
packets of IP addresses not included in the packet filter (Monitor
> Packet Capture). |
PAN-60577 | Fixed an issue where an application filter
with no selected categories caused the firewall to perform slowly
because the filter defaulted to include all categories (Objects
> Application Filters). With this fix, you cannot configure an application
filter without selecting one or more categories. |
PAN-58979 | Fixed an issue where the dataplane restarted
due to a memory leak in a process (mprelay) that occurred if you
did not disable LLDP when you disabled an interface with LLDP enabled
(Network > Interfaces > < interface > > Advanced > LLDP). |
PAN-57142 | Fixed an issue where PA-7000 Series firewalls
in an HA active/passive configuration did not correctly enforce
QoS limits on Aggregate Ethernet (AE) subinterfaces and did not
correctly forward traffic for offloaded sessions. |
PAN-54688 | Fixed an issue where heavy processing loads
caused the firewall to fill the root partition with unnecessary
log_index_* and content_install_* files in the /tmp directory. With
this fix, the firewall no longer generates these unnecessary files. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.