End-of-Life (EoL)
PAN-OS 7.1.12 Addressed Issues
PAN-OS® 7.1.12 addressed issues
The following table lists the issues that are addressed
in the PAN-OS® 7.1.12 release. For new features, associated software
versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information.
Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues
and any newly addressed issues in these release notes are identified
using new issue ID numbers that include a product-specific prefix.
Issues addressed in earlier releases and any associated known issue
descriptions continue to use their original issue ID.
Issue ID | Description |
|---|---|
PAN-81951 | Fixed an issue where errors associated with
a Commit > Commit All Changes operation also caused FQDN refresh
operations to fail on the firewall. With this fix, commit failures
don't cause FQDN refresh failures. |
PAN-81287 | Fixed an issue where a firewall in FIPS/CC
mode intermittently switched to maintenance mode. |
PAN-80433 | Fixed an issue where Panorama did not display
IP addresses for NSX dynamic address groups even when the VM-Series
NSX edition firewall and NSX manager displayed the IP addresses. |
PAN-80155 | Fixed an issue where firewalls that were deployed
in an active/passive high availability (HA) configuration and that
acted as DHCP relay agents used physical MAC addresses instead of
HA virtual MAC addresses for DHCP packets. |
PAN-80122 | A security-related fix was made to address
a vulnerability that allowed XML External Entity (XXE) attacks on
the GlobalProtect external interface because PAN-OS did not properly
parse XML input (CVE-2017-9458). |
PAN-79844 | Fixed an issue on Panorama where scheduled
custom reports returned no data. |
PAN-79804 | Fixed an issue where VM-Series firewalls for
VMware NSX did not register on Panorama if they belonged to a device
group that contained applications from a content release version
that was newer than the version included with the PAN-OS software
image for fresh installations. |
PAN-79555 | Fixed an issue on VM-Series firewalls on Azure
where dataplane interfaces did not come up as expected because they
did not successfully negotiate Layer 2 settings during bootup. |
PAN-79174 | Fixed an issue where commits took longer to
complete than expected on firewalls with hundreds of policy rules
that referenced application filters or application groups that specified
thousands of applications. |
PAN-78854 | Fixed an issue where a firewall dropped sessions
for sites that used the supported AES-256-GCM cipher when you configured
SSL Forward Proxy Decryption and defined a Decryption profile that
blocked sessions using unsupported ciphers (Objects > Decryption
Profile > <decryption_profile> > SSL Forward Proxy). |
PAN-78770 | Fixed an issue on PA-500 firewalls in a high
availability (HA) configuration where the HA1 interface went down
due to a missed HA1 heartbeat. |
PAN-78385 | Fixed an issue where a Panorama management
server running PAN-OS 8.0 did not display logs that were related
to VPN tunnels or authentication and that were collected from PA-7000
Series firewalls running PAN-OS 7.1 or an earlier release. |
PAN-78044 | Fixed an issue where the firewall dropped packets
that were destined for IP address FD00::/8 when you configured a
Zone Protection profile with a Strict IP Address Check (Network
> Network Profiles > Zone Protection > Packet Based Attack Protection
> IP Drop). With this fix, FD00::/8 is no longer a reserved IP address. |
PAN-77866 | Fixed an issue where the authentication process
(authd) stopped responding if a third-party device blocked the transmission
of authentication packets between the firewall and an LDAP server.
With this fix, authentication fails without authd becoming unresponsive
if a third-party device blocks LDAP authentication packets. |
PAN-77747 | Fixed an issue where a firewall with ECMP enabled
on a virtual router (Network > Virtual Routers > Router Settings
> ECMP) did not load balance the traffic among egress interfaces
when the traffic originated from another virtual router. |
PAN-77652 | Fixed an issue on PA-7000 Series firewalls
where the mprelay process stopped responding due to a memory leak
on the control plane. |
PAN-77645 | Fixed an issue where Dedicated Log Collectors
did not forward logs to a syslog server over TCP. |
PAN-77520 | Fixed an issue on PA-7000 Series firewalls
with AMC hard drives, model ST1000NX0423, where the firewalls rebuilt
Disk Pair B in the LPC card after a reboot. |
PAN-77062 | Fixed an issue where administrators with a
custom role could not delete packet captures. |
PAN-76997 | Fixed an issue on the PA-3020 firewall where
SSL connections failed due to memory allocation issues if you configured
a Decryption profile with Key Exchange Algorithms that included
ECDHE (Objects > Decryption Profile > <decryption_profile> >
SSL Protocol Settings). |
PAN-76831 | Fixed an issue on PA-7000 Series firewalls
where committing configuration changes caused the management server
to stop responding and made the web interface and CLI inaccessible. |
PAN-76830 | Fixed an issue on PA-5000 Series firewalls
where insufficient memory allocation caused SSL decryption errors
that resulted in SSL session failures, and the firewall displayed
the reason in Traffic logs as decrypt-error or decrypt-cert-validation. |
PAN-76160 | Fixed an issue where a memory leak caused the
firewall to create hundreds of LDAP connections, which resulted
in commit failures. |
PAN-76155 | Fixed an issue where the logs for the VM Monitoring
Agent did not indicate the reason for events that caused the agent
to exit. With this fix, the agent logs display debug-level details
when the agent exits. |
PAN-76130 | A security-related fix was made to address
OpenSSL vulnerabilities relating to the Network Time Protocol (NTP)
library (CVE-2016-9042/CVE-2017-6460). |
PAN-76019 | Fixed an issue where the dataplane restarted
because the firewall used incorrect zone identifiers for deleting
flows when untagged subinterfaces had parent interfaces with no
zone assignment. |
PAN-76003 | A security-related fix was made to prevent
cross-site scripting (XSS) attacks through the GlobalProtect external
interface (CVE-2017-12416). |
PAN-75724 | Fixed an issue where the PAN-OS integrated
User-ID agent allowed weak ciphers for SSL/TLS connections. With
this fix, the User-ID agent allows only the following ciphers for
SSL/TLS connections:
|
PAN-75571 | Fixed an issue where the web interface did
not display the full list of IPSec tunnels (Network > IPSec Tunnels)
after upgrading the firewall to PAN-OS 7.1.7. |
PAN-75371 | Fixed an issue where firewalls configured to
perform destination NAT misidentified applications after incorrectly
adding the public IP addresses of destination servers to the App-ID
cache. |
PAN-75337 | Fixed an issue where CPU usage spiked on the
firewall during Diffie-Hellman (DHE) or elliptical curve Diffie-Hellman
(ECDHE) key exchange for SSL decryption. With this fix, the firewall
has enhanced performance for DHE and ECDHE key exchange. |
PAN-75132 | Fixed an issue where certificates created locally
on the firewall had duplicate serial numbers because the firewall
did not check the serial numbers of existing certificates signed
by the same CA when generating new certificates. |
PAN-74880 | Fixed an issue where retrieving threat packet
captures took longer than expected through the web interface (Monitor
> Logs > Threat) or PAN-OS XML API. |
PAN-74369 | Fixed an issue where modifying the BFD profile
in a virtual router (Network > Virtual Routers) caused the routed
process to stop responding. |
PAN-74366 | Fixed an issue on the firewall and Panorama
where the management server (mgmtserver) process restarted after
you tried to filter a Policies > <policy_type> list based on
specific strings such as 00 or 000. |
PAN-74110 | Fixed an issue where administrators could not
log in to the firewall using LDAP credentials after a PAN-OS upgrade. |
PAN-74067 | Fixed an issue in large-scale deployments where
the User-ID process (useridd) stopped responding due to a loop condition
because firewalls configured as User-ID agents repeatedly redistributed
the same IP address-to-username mappings. |
PAN-73919 | Fixed an issue where you could not use the
web interface or CLI to configure a multicast IP address as the
Source or Destination in packet filters (Monitor > Packet Capture). |
PAN-73711 | Fixed an issue where firewalls configured as
DHCP clients did not receive IP addresses from the DHCP server because
the firewalls did not set the gateway IP address (giaddr) value
to zero in DHCP client reply messages. |
PAN-73270 | Fixed an issue where the firewall rebooted
if a Syslog Parse profile with the Type set to Regex Identifier
(Device > User Identification > User Mapping > Palo Alto Networks
User-ID Agent Setup > Syslog Filters) matched a null character in
a syslog message. |
PAN-72831 | Fixed an issue where rebooting the firewall
caused it to generate a false critical alarm that indicated LDAP
servers were down. |
PAN-72334 | Fixed an issue where firewalls did not resume
forwarding logs to Log Collectors after Panorama management servers
in a high availability (HA) configuration recovered from a split-brain
condition. |
PAN-71615 | Fixed an issue where an intrazone block rule
shadowed a universal rule that had different source and destination
zones. |
PAN-71612 | Fixed an issue where the logs that the firewall
forwarded to a syslog server had syslog header timestamps that did
not match the times when the firewall generated the logs. |
PAN-71392 | Fixed an issue where the firewall did not connect
to a SCEP server if the SCEP service route used a loopback interface
as the Source Interface (Device > Setup > Services > Service Route
Configuration). |
PAN-71226 | Fixed an issue where the firewall dataplane
restarted because packet processing processes stopped responding
for HTTP traffic involving URL percent-encoding. |
PAN-71192 | Fixed an issue where performing a log query
or log export with a specific number of logs caused the management
server to stop responding. This occurred only when the number of
logs was a multiple of 64 plus 63. For example, 128 is a multiple
of 64 and if you add 63 to 128 that equals 191 logs. In this case,
if you performed a log query or export and there were 191 logs,
the management server stopped responding. |
PAN-69014 | Fixed an issue where the Panorama management
server did not display the logs collected from PA-7000 Series firewalls
that were assigned to a device group that was the child of the Device
Group selected on the Monitor tab of the web interface. |
PAN-68658 | Fixed an issue where handling out-of-order
TCP FIN packets resulted in dropped packets due to TCP reassembly
that was out-of-sync. |
PAN-68580 | Fixed an issue where VM-Series firewalls in
a high availability (HA) configuration displayed the wrong link
state after a link-monitoring failure. |
PAN-68363 | Fixed an issue where logs exported in CSV format
had columns that were not aligned correctly. |
PAN-66719 | Fixed an issue where, when the session synchronization
rate was very high, firewalls in a high availability (HA) configuration
dropped Backup keep-alive messages, which caused flapping on the
HA2 interface. |
PAN-66552 | Fixed an issue where the firewall web interface
referred to external dynamic lists (EDLs) as block lists in the
Destination Address drop-down of policy rules (Policies > <policy_type>
> <rule> > Destination). With this fix, the Destination Address
lists EDLs under the External Dynamic List header. |
PAN-63528 | Fixed an issue on the VM-Series firewall on
Hyper-V where VLAN trunking did not enable the firewall to process
traffic on multiple subinterfaces using VLAN tags. |
PAN-63333 | Fixed an issue where adding more OSPF areas
to a virtual router that had no neighbors (Network > Virtual Routers
> <virtual_router_configuration> > OSPF > Areas) caused BFD sessions
to flap on connections to existing OSPF neighbors. |
PAN-61813 | Fixed an issue on Panorama where a custom scheduled
report configured for a device group was empty when exported. |
PAN-60863 | Fixed an issue where a switch connected to
firewalls in an active/passive high availability (HA) configuration
stopped learning MAC addresses after HA failover. |
PAN-60535 | Fixed an issue on PA-7000 Series firewalls
where NPC slots went down due to missing heartbeats. |
PAN-59895 | Fixed an issue where firewalls in an active/active
high availability (HA) configuration did not perform an autocommit
after rebooting (such as after a PAN-OS upgrade), which prevented
the firewalls from applying policies. |
PAN-57667 | Fixed an issue where Panorama stopped the report
generation process at 80% for a SaaS Application Usage report for
a Device Group that had a space in its name (Panorama > Monitor
> PDF Reports > SaaS Application Usage). |
PAN-56041 | Fixed an issue on firewalls with an IPv6 configuration
where the mprelay process stopped responding. |
PAN-50081 | Fixed an issue where CPU utilization stayed
at 100% on the dataplanes of firewalls in an active/active high
availability (HA) configuration when the firewalls had multiple
virtual systems, used SSL Forward Proxy Decryption, and connected
to third-party Layer 3 devices. |
PAN-49363 | Fixed an issue where an SNMP walk operation
on an SNMP manager displayed a discrepancy between the number of
interfaces and interface descriptions because the firewall did not
decrease the number of SNMP interface indexes after you removed
logical interfaces from the configuration. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
