End-of-Life (EoL)

PAN-OS 7.1.14 Addressed Issues

PAN-OS® 7.1.14 addressed issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.14 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue ID
Fixed an issue where PAN-OS removed the IP address-to-username mappings of end users who logged in to a GlobalProtect internal gateway within a second of logging out from it.
Fixed an issue on firewalls with Decryption policy enabled where intermittent packet loss and decryption failures occurred because the firewall depleted its software packet buffer pool.
Fixed an issue where a VM-Series firewall for NSX, after connecting to Panorama, ran multiple dynamic address update jobs over a ten-minute period instead of just one update job.
Fixed an issue where the firewall exported a configuration file of 0 bytes when you used the firewall web interface to export a configuration file (Setup > Operations).
Fixed an issue where blocking proxy sessions to enforce Decryption policy rules caused packet buffer depletion, which eventually resulted in packet loss.
Fixed an issue where PA-5000 Series firewalls in an active/active high availability (HA) configuration intermittently dropped packets due to a race condition that occurred when the session owner and session setup were on different HA peers.
Fixed an issue on PA-3000 Series, PA-500, PA-200, and VM-Series firewalls where QoS throughput dropped on interfaces configured to use a QoS profile with an Egress Max set to 0Mbps or more than 1142Mbps (Network > Network Profiles > QoS Profile).
A security-related fix was made to prevent a command injection condition through the firewall web interface (CVE-2017-15940).
Fixed an issue on PA-7000 Series firewalls where packet captures (pcaps) didn't include packets that matched predict sessions.
A security-related fix was made to prevent a cross-site scripting (XSS) vulnerability in GlobalProtect (CVE-2017-15941).
Fixed an issue where a firewall configured as a DNS proxy (Network > DNS Proxy) failed to resolve an address object (Objects > Addresses) with the Type set to FQDN and a name that ended with a period.
Fixed an issue where memory leaks occurred when you used a Panorama management server running PAN-OS 8.0 or 7.1 to push configurations to PA-7000 Series firewalls running PAN-OS 7.1 or 7.0.
A security-related fix was made to prevent remote code execution through the firewall Management (MGT) interface (CVE-2017-15944).
Fixed an issue where PA-3020 firewalls intermittently dropped sessions and displayed resources-unavailable in Traffic logs when a high volume of threat traffic depleted memory. With this fix, PA-3020 firewalls have more memory for processing threat traffic.
Fixed an issue where the VM-Series firewall lost OSPF adjacency with a peer device because the firewall dropped large OSPF link state packets.
A security-related fix was made to prevent inappropriate disclosure of information through the firewall web interface (CVE-2017-15943).
Fixed an issue where VM-Series firewalls in an active/passive HA configuration added a delay in traffic once every minute while sending Gratuitous Address Resolution Protocol (GARP) packets after you set the Link State to down on a Layer 3 interface (Network > Interfaces > Ethernet > <interface> > Advanced).
Fixed an issue where PA-5000 Series firewalls ran out of disk space because they did not purge logs quickly enough.
Fixed an issue where a commit failed after an application name was moved to a container application.
Fixed an issue where GlobalProtect connections failed due to a memory leak in a management-plane process (sslvpn) that caused the process to restart with the following error: virtual memory limit exceeded.
Fixed an issue where the firewall treated an address object as a region object when the address object had the same name as a deleted region object.
Fixed an issue where the firewall could not establish BGP connections using a loopback interface over a large-scale VPN tunnel between a GlobalProtect satellite and GlobalProtect gateway.
Fixed an issue where the firewall failed to generate a Simple Certificate Enrollment Protocol (SCEP) certificate when you selected a SCEP profile with the Subject containing an email address attribute (Device > Certificate Management > SCEP).
Fixed an issue where, when testing which policy rule applies to traffic between a specified destination and source, the PAN-OS XML API query does not display as much information as the corresponding CLI command (test security-policy-match).
Fixed an issue on the Panorama management server in an HA configuration where the passive HA peer displayed Shared Policy as Out of Sync (Panorama > Managed Devices) even when the device group commit from the active peer succeeded.
Fixed an issue where a firewall in FIPS-CC mode rebooted in maintenance mode after you downloaded GlobalProtect Client software that was listed under Device > GlobalProtect Client but that was unavailable on the Palo Alto Networks Update Server.
Fixed an issue on PA-7000 Series firewalls in an HA configuration where the HA data link (HSCI) interfaces intermittently failed to initialize properly during bootup.
Fixed an issue where the firewall dropped Encapsulating Security Payload (ESP) packets because IPSec sessions were stuck in opening status when Extended Authentication (X-Auth) was enabled (Network > GlobalProtect > Gateways > <gateway> > Agent > Tunnel Settings).
Fixed an issue where the firewall didn't display the application groups you created unless your administrative account was assigned an Admin Role profile with privileges enabled for both application groups (full privileges) and application filters (full or read-only privileges). With this fix, only application group privileges are required for viewing application groups.
Fixed an issue where the GlobalProtect portal prompted end users to enter a one-time password (OTP) even after the users entered the OTP for the GlobalProtect gateway with Authentication Override enabled (Network > GlobalProtect > Portals > <portal-configuration> > Agent > <agent-configuration> > Authentication).
Fixed an issue where a GlobalProtect satellite sent the wrong certificate chain after you renewed the certificate authority (CA) certificates of GlobalProtect portals and gateways.
Fixed an issue on the Panorama management server where, when you used the PAN-OS XML API to request traffic logs, Panorama limited the response to 1,152 logs instead of the normal limit of 5,000 logs.
Fixed an issue where the firewall intermittently failed to block Gmail or Google Drive uploads.

Recommended For You