PAN-OS 7.1.12 Addressed Issues
PAN-OS® 7.1.12 addressed issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.12 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Fixed an issue where errors associated with a Commit > Commit All Changes operation also caused FQDN refresh operations to fail on the firewall. With this fix, commit failures don't cause FQDN refresh failures.
Fixed an issue where a firewall in FIPS/CC mode intermittently switched to maintenance mode.
Fixed an issue where Panorama did not display IP addresses for NSX dynamic address groups even when the VM-Series NSX edition firewall and NSX manager displayed the IP addresses.
Fixed an issue where firewalls that were deployed in an active/passive high availability (HA) configuration and that acted as DHCP relay agents used physical MAC addresses instead of HA virtual MAC addresses for DHCP packets.
A security-related fix was made to address a vulnerability that allowed XML External Entity (XXE) attacks on the GlobalProtect external interface because PAN-OS did not properly parse XML input (CVE-2017-9458).
Fixed an issue on Panorama where scheduled custom reports returned no data.
Fixed an issue where VM-Series firewalls for VMware NSX did not register on Panorama if they belonged to a device group that contained applications from a content release version that was newer than the version included with the PAN-OS software image for fresh installations.
Fixed an issue on VM-Series firewalls on Azure where dataplane interfaces did not come up as expected because they did not successfully negotiate Layer 2 settings during bootup.
Fixed an issue where commits took longer to complete than expected on firewalls with hundreds of policy rules that referenced application filters or application groups that specified thousands of applications.
Fixed an issue where a firewall dropped sessions for sites that used the supported AES-256-GCM cipher when you configured SSL Forward Proxy Decryption and defined a Decryption profile that blocked sessions using unsupported ciphers (Objects > Decryption Profile > <decryption_profile> > SSL Forward Proxy).
Fixed an issue on PA-500 firewalls in a high availability (HA) configuration where the HA1 interface went down due to a missed HA1 heartbeat.
Fixed an issue where a Panorama management server running PAN-OS 8.0 did not display logs that were related to VPN tunnels or authentication and that were collected from PA-7000 Series firewalls running PAN-OS 7.1 or an earlier release.
Fixed an issue where the firewall dropped packets that were destined for IP address FD00::/8 when you configured a Zone Protection profile with a Strict IP Address Check (Network > Network Profiles > Zone Protection > Packet Based Attack Protection > IP Drop). With this fix, FD00::/8 is no longer a reserved IP address.
Fixed an issue where the authentication process (authd) stopped responding if a third-party device blocked the transmission of authentication packets between the firewall and an LDAP server. With this fix, authentication fails without authd becoming unresponsive if a third-party device blocks LDAP authentication packets.
Fixed an issue where a firewall with ECMP enabled on a virtual router (Network > Virtual Routers > Router Settings > ECMP) did not load balance the traffic among egress interfaces when the traffic originated from another virtual router.
Fixed an issue on PA-7000 Series firewalls where the mprelay process stopped responding due to a memory leak on the control plane.
Fixed an issue where Dedicated Log Collectors did not forward logs to a syslog server over TCP.
Fixed an issue on PA-7000 Series firewalls with AMC hard drives, model ST1000NX0423, where the firewalls rebuilt Disk Pair B in the LPC card after a reboot.
Fixed an issue where administrators with a custom role could not delete packet captures.
Fixed an issue on the PA-3020 firewall where SSL connections failed due to memory allocation issues if you configured a Decryption profile with Key Exchange Algorithms that included ECDHE (Objects > Decryption Profile > <decryption_profile> > SSL Protocol Settings).
Fixed an issue on PA-7000 Series firewalls where committing configuration changes caused the management server to stop responding and made the web interface and CLI inaccessible.
Fixed an issue on PA-5000 Series firewalls where insufficient memory allocation caused SSL decryption errors that resulted in SSL session failures, and the firewall displayed the reason in Traffic logs as decrypt-error or decrypt-cert-validation.
Fixed an issue where a memory leak caused the firewall to create hundreds of LDAP connections, which resulted in commit failures.
Fixed an issue where the logs for the VM Monitoring Agent did not indicate the reason for events that caused the agent to exit. With this fix, the agent logs display debug-level details when the agent exits.
A security-related fix was made to address OpenSSL vulnerabilities relating to the Network Time Protocol (NTP) library (CVE-2016-9042/CVE-2017-6460).
Fixed an issue where the dataplane restarted because the firewall used incorrect zone identifiers for deleting flows when untagged subinterfaces had parent interfaces with no zone assignment.
A security-related fix was made to prevent cross-site scripting (XSS) attacks through the GlobalProtect external interface (CVE-2017-12416).
Fixed an issue where the PAN-OS integrated User-ID agent allowed weak ciphers for SSL/TLS connections. With this fix, the User-ID agent allows only the following ciphers for SSL/TLS connections:
Fixed an issue where the web interface did not display the full list of IPSec tunnels (Network > IPSec Tunnels) after upgrading the firewall to PAN-OS 7.1.7.
Fixed an issue where firewalls configured to perform destination NAT misidentified applications after incorrectly adding the public IP addresses of destination servers to the App-ID cache.
Fixed an issue where CPU usage spiked on the firewall during Diffie-Hellman (DHE) or elliptical curve Diffie-Hellman (ECDHE) key exchange for SSL decryption. With this fix, the firewall has enhanced performance for DHE and ECDHE key exchange.
Fixed an issue where certificates created locally on the firewall had duplicate serial numbers because the firewall did not check the serial numbers of existing certificates signed by the same CA when generating new certificates.
Fixed an issue where retrieving threat packet captures took longer than expected through the web interface (Monitor > Logs > Threat) or PAN-OS XML API.
Fixed an issue where modifying the BFD profile in a virtual router (Network > Virtual Routers) caused the routed process to stop responding.
Fixed an issue on the firewall and Panorama where the management server (mgmtserver) process restarted after you tried to filter a Policies > <policy_type> list based on specific strings such as 00 or 000.
Fixed an issue where administrators could not log in to the firewall using LDAP credentials after a PAN-OS upgrade.
Fixed an issue in large-scale deployments where the User-ID process (useridd) stopped responding due to a loop condition because firewalls configured as User-ID agents repeatedly redistributed the same IP address-to-username mappings.
Fixed an issue where you could not use the web interface or CLI to configure a multicast IP address as the Source or Destination in packet filters (Monitor > Packet Capture).
Fixed an issue where firewalls configured as DHCP clients did not receive IP addresses from the DHCP server because the firewalls did not set the gateway IP address (giaddr) value to zero in DHCP client reply messages.
Fixed an issue where the firewall rebooted if a Syslog Parse profile with the Type set to Regex Identifier (Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Syslog Filters) matched a null character in a syslog message.
Fixed an issue where rebooting the firewall caused it to generate a false critical alarm that indicated LDAP servers were down.
Fixed an issue where firewalls did not resume forwarding logs to Log Collectors after Panorama management servers in a high availability (HA) configuration recovered from a split-brain condition.
Fixed an issue where an intrazone block rule shadowed a universal rule that had different source and destination zones.
Fixed an issue where the logs that the firewall forwarded to a syslog server had syslog header timestamps that did not match the times when the firewall generated the logs.
Fixed an issue where the firewall did not connect to a SCEP server if the SCEP service route used a loopback interface as the Source Interface (Device > Setup > Services > Service Route Configuration).
Fixed an issue where the firewall dataplane restarted because packet processing processes stopped responding for HTTP traffic involving URL percent-encoding.
Fixed an issue where performing a log query or log export with a specific number of logs caused the management server to stop responding. This occurred only when the number of logs was a multiple of 64 plus 63. For example, 128 is a multiple of 64 and if you add 63 to 128 that equals 191 logs. In this case, if you performed a log query or export and there were 191 logs, the management server stopped responding.
Fixed an issue where the Panorama management server did not display the logs collected from PA-7000 Series firewalls that were assigned to a device group that was the child of the Device Group selected on the Monitor tab of the web interface.
Fixed an issue where handling out-of-order TCP FIN packets resulted in dropped packets due to TCP reassembly that was out-of-sync.
Fixed an issue where VM-Series firewalls in a high availability (HA) configuration displayed the wrong link state after a link-monitoring failure.
Fixed an issue where logs exported in CSV format had columns that were not aligned correctly.
Fixed an issue where, when the session synchronization rate was very high, firewalls in a high availability (HA) configuration dropped Backup keep-alive messages, which caused flapping on the HA2 interface.
Fixed an issue where the firewall web interface referred to external dynamic lists (EDLs) as block lists in the Destination Address drop-down of policy rules (Policies > <policy_type> > <rule> > Destination). With this fix, the Destination Address lists EDLs under the External Dynamic List header.
Fixed an issue on the VM-Series firewall on Hyper-V where VLAN trunking did not enable the firewall to process traffic on multiple subinterfaces using VLAN tags.
Fixed an issue where adding more OSPF areas to a virtual router that had no neighbors (Network > Virtual Routers > <virtual_router_configuration> > OSPF > Areas) caused BFD sessions to flap on connections to existing OSPF neighbors.
Fixed an issue on Panorama where a custom scheduled report configured for a device group was empty when exported.
Fixed an issue where a switch connected to firewalls in an active/passive high availability (HA) configuration stopped learning MAC addresses after HA failover.
Fixed an issue on PA-7000 Series firewalls where NPC slots went down due to missing heartbeats.
Fixed an issue where firewalls in an active/active high availability (HA) configuration did not perform an autocommit after rebooting (such as after a PAN-OS upgrade), which prevented the firewalls from applying policies.
Fixed an issue where Panorama stopped the report generation process at 80% for a SaaS Application Usage report for a Device Group that had a space in its name (Panorama > Monitor > PDF Reports > SaaS Application Usage).
Fixed an issue on firewalls with an IPv6 configuration where the mprelay process stopped responding.
Fixed an issue where CPU utilization stayed at 100% on the dataplanes of firewalls in an active/active high availability (HA) configuration when the firewalls had multiple virtual systems, used SSL Forward Proxy Decryption, and connected to third-party Layer 3 devices.
Fixed an issue where an SNMP walk operation on an SNMP manager displayed a discrepancy between the number of interfaces and interface descriptions because the firewall did not decrease the number of SNMP interface indexes after you removed logical interfaces from the configuration.
Recommended For You
Recommended videos not found.