A security-related fix was made to prevent the decryption of captured sessions through the ROBOT attack (CVE-2017-17841).

Fixed an issue where VM-Series firewalls intermittently dropped fragmented traffic.

Fixed an issue where a firewall in FIPS/CC mode intermittently switched to maintenance mode.

Fixed an issue where importing a firewall configuration into a Panorama management server deleted certain Panorama shared objects.

Fixed an issue on firewalls configured as DHCP servers and deployed in a high availability (HA) configuration where, after HA failover, commits failed and the following error message displayed: Management server failed to send phase 1 to client dhcpd.

Fixed an issue on PA-5000 Series firewalls running PAN-OS 7.1.12 or a later 7.1 release where insufficient proxy memory caused decryption failures and prevented users from accessing the GlobalProtect portal or gateway.

Fixed an issue where firewalls dropped TCP/UDP-based application traffic over a GlobalProtect VPN tunnel in high latency networks.

Fixed an issue where the firewall misidentified Signiant-based traffic as HTTP-proxy traffic and therefore did not apply policy correctly to that traffic.

Fixed an issue where high packet-descriptor utilization caused the firewall to drop traffic over an IPSec tunnel that used the Authentication Header protocol for key exchange.

Fixed an issue where the firewall rebooted repeatedly because the User-ID process (userid) stopped responding after you committed a Mobile Security Manager (MDM) configuration that failed to connect the firewall to the MDM (Network > GlobalProtect > MDM).

Fixed an issue on PA-7000 Series firewalls where the logrcvr process had a memory leak.

Fixed an issue where firewalls did not send queries for updated user mappings to User-ID agents; instead, the firewalls waited until the agents learned and forwarded new user mappings. By default with this fix, the firewall sends queries to the User-ID agents for unknown users. You can turn off the queries by running the persistent CLI command debug user-id query-unknown-ip off.

Fixed an issue where the firewall rebooted because the User-ID process (useridd) stopped responding after you performed clone or shutdown operations on VMware vCenter.

Fixed an issue where a Denial of Service (DoS) attack resulted in high CPU utilization on the firewall because it centralized session distribution on a single core instead of over all the cores.

Fixed an issue where the Panorama virtual appliance in Legacy mode intermittently stopped processing logs, which caused its firewall connections to flap.

Fixed an issue where firewalls that performed SSL decryption slowed the download of large files over HTTPS on macOS endpoints.

Fixed an issue on the firewall and Panorama management server where a memory leak caused several operations to fail, such as commits, FQDN refreshes, and content updates.

Fixed an issue on M-Series appliances and PA-7000 Series firewalls where the disk-failed, disk-faulty, and pair-disappeared RAID events had only a medium severity level in System logs. With this fix, these events have a critical severity level.

Fixed an issue where the firewall dataplane restarted because the all_pktproc process suddenly started losing heartbeats.

Fixed an issue where using the PAN-OS XML API to collect User-ID mappings caused slow responsiveness in the firewall web interface and CLI.

Fixed an issue where the firewall did not apply your changes in host information profile (HIP) objects and profiles to Security policy rules and HIP Match logs unless GlobalProtect clients reconnected to the GlobalProtect gateway.

Fixed an issue on the Panorama management server where the members count became zero for all existing shared address groups after you imported a firewall configuration.

Fixed an issue where the passive firewall in an active/passive HA deployment lost HA session updates when the active peer had a heavy processing load.

Fixed an issue where the show system state filter-pretty sw.dev.interface.config CLI command did not display the MAC address (hwaddr) or maximum transmission unit (mtu) for aggregate Ethernet interfaces.

Fixed an issue on firewalls in an active/passive HA configuration where rebooting the passive HA peer caused its interfaces to flap.

Fixed an issue where WF-500 appliances returned an error after 18 lines when you ran an SNMP query with a Palo Alto Networks private enterprise OID.