End-of-Life (EoL)

PAN-OS 7.1.13 Addressed Issues

PAN-OS® 7.1.13 addressed issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.13 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue ID
Fixed an issue where a process (vm_agent) on a VM-Series firewall on Azure stopped responding after upgrading to PAN-OS 7.1.12 due to a bug in the Azure Linux Agent library (waagentlib) package.
Fixed an issue where a process (vm_agent) on a VM-Series firewall on Azure stopped responding after an update was applied on Azure.
Fixed an issue on PA-7000 Series firewalls where traffic delays occurred due to packet buffer congestion when the all_pktproc process stopped responding. This issue occurred when an incorrect Policy Based Forwarding (PBF) policy rule ID referenced an invalid egress interface.
Fixed an issue on VM-Series firewalls for NSX where dynamic address groups had no members.
Fixed an issue where memory corruption caused the correlation engine process to restart.
Fixed an issue where PA-7000 Series firewalls in a hairpin virtual wire deployment dropped traffic when predict sessions were created. In a hairpin deployment, traffic crosses a firewall twice, in both directions, across the same virtual wire(s) in the same zones.
Fixed an issue where IPSec tunnel phase 2 negotiations failed when attempting to connect to a remote peer when /32 traffic selectors were included in the configuration on the remote peer.
Fixed an issue where client systems could use a translated IP address-and-port pair for only one connection even if you configured the Dynamic IP and Port (DIPP) NAT Oversubscription Rate to allow multiple connections (Device > Setup > Session > Session Settings > NAT Oversubscription). This issue is fixed on all firewall models except PA-7000 Series firewalls (see PAN-99483 in Limitations section).
Fixed an issue where connections that the firewall handles as an Application Level Gateway (ALG) service were disconnected when destination NAT and decryption were enabled. This fix applies only when the ALG service does not change packet lengths before and after NAT translation.
Fixed an issue where the firewall flooded System logs with the following message: Traffic and logging are resumed since traffic-stop-on-logdb-full feature has been disabled.
Fixed an issue on a firewall with multiple virtual systems where policy rules defined for a specific virtual system could not access shared EDL objects.
Fixed an issue where, after a PAN-OS upgrade, packet buffer and descriptor utilization spiked and caused latency in network traffic.
Fixed an issue where the firewall Reset both client and server after you set the Antivirus profile to default in a Security policy rule even though all WildFire actions in the default profile are set to allow (Policies > Security > <security_rule> > Actions).
Fixed an issue where a PA-7000 Series firewall running PAN-OS 7.1.12 or an earlier release stopped saving and displaying new logs due to a memory leak after a Panorama management server running a PAN-OS 8.0 release pushed a predefined report that specified a field that is unrecognized by the firewall running the earlier PAN-OS release (Monitor > Reports > Mobile Network Reports).
Fixed an issue where Panorama failed to export a custom report if you set the Database to Remote Device Data (Monitor > Manage Custom Reports).
Fixed an issue where the root partition ran out of space during generation of a tech support file when the output of the show user user-ids command was extremely large. With this fix, the data saved to the tech support file is modified to show only statistics instead of raw output, which prevents the output from this command from being so large that it fills up all available disk space.
A security-related fix was made to prevent the firewall Management (MGT) interface from becoming unavailable for legitimate use (CVE-2017-15942).
Fixed an issue where the XML API query for show session distribution policy resulted in an error message (An error occurred).
Fixed an issue where the Panorama virtual appliance in Legacy mode purged older Traffic logs even when space was available to store more logs.
Added debug enhancements to capture more details about IKE when third-party VPN clients use the X-AUTH feature.
Fixed an issue on PA-7000 Series firewalls where packet capture intermittently failed.
Fixed an issue where tunnel-bound traffic was incorrectly routed through an ECMP route instead of a PBF route as expected.
Fixed an issue where firewalls in a high availability (HA) active/passive configuration did not always synchronize sessions.
Fixed an issue where SSL Forward Proxy decryption failed for SSL/TLS websites that had unused certificate chains containing algorithms that PAN-OS did not support. With this fix, the firewall verifies only the certificate chains that the websites use.
Fixed an issue where, after logging in to GlobalProtect, end users could access the Firewall PAN-OS XML API without additional authentication.
Fixed an issue where dynamic content updates failed on the firewall when DNS response times were slow.
Fixed an issue where the mprelay process stopped responding when processing IPv6 neighbor discovery updates.
Fixed an issue on PA-7000 Series firewalls where Generic Routing Encapsulation (GRE) session creation failed when the firewalls received GRE packets with a Point-to-Point Protocol (PPP) payload.
Fixed an issue on PA-5000 Series firewalls where using the web interface to display QoS Statistics (Network > QoS) resulted in a memory leak that caused the control plane and dataplane to restart.
Fixed an issue where the Panorama management server retained the Threshold value for update schedules (Device > Dynamic Updates > <update_type_schedule>) in a template stack even after you removed the value from templates in the stack.
Fixed an issue where the User-ID process stopped responding when an NTLM request was received on a vsys where NTLM was not configured
Fixed an issue where administrators were able to download tech support files even when the administrators were not configured with this privilege.
Fixed an issue where the firewall failed to export a report to PDF, XML, or CSV format when the report job ID was higher than 65535.
Fixed an issue where a firewall with a disk full condition could not connect to WildFire or the PAN-DB cloud after a management process restarted. The show wildfire status CLI command displayed the following message: Unable to authenticate remote CA certificate.
Fixed an issue where the Monitor > Botnet report displayed the wrong portion of the URL when the HTTP GET request was too long, while the Monitor > Logs > URL Filtering logs displayed the URL correctly.
Fixed an issue where an HA sync resulted in an empty ethernet1/1 node on the passive peer. This issue occurred when ethernet1/1 on the active HA peer was configured as an Aggregated Ethernet (AE) interface while ethernet1/1 was not configured in the local configuration for the passive peer.
Fixed an issue where the firewall did not record the sender or recipient in WildFire Submission logs for emails in which the header had no white space character between the display name and the email address.
Fixed an issue on VM-Series firewalls that occurred when attempting to shut down the firewall from the VCenter Client or from a Web Client due to a VM-tools integration issue.
Fixed an issue where PA-7000 Series firewalls intermittently dropped packets from GlobalProtect end users if the GlobalProtect IKE gateway used a local interface that was in a different security zone than the physical ingress interface.
Fixed an issue where Panorama took longer than expected to generate reports.
Fixed an issue where Panorama did not display log data in the Monitor or ACC tabs and did not display custom reports.
Fixed an issue where extended packet captures consumed excessive storage space in /opt/panlogs.
Fixed an issue where administrators with custom roles could not perform packet captures or download and install software and content updates.
Fixed an issue where the HL7 application was not correctly identified.

Recommended For You