Fixed an issue where VM-Series firewalls for NSX and firewalls in an NSX notify group (Panorama > VMware NSX > Notify Group) briefly dropped traffic while receiving dynamic address updates after the primary Panorama in a high availability (HA) configuration failed over.

Fixed an issue where the passive firewall in an active/passive high availability (HA) configuration rebooted unexpectedly in rare cases due to a kernel file system journaling issue.

Fixed an issue where the GlobalProtect™ portal connection timed out during authentication regardless of the timeout you specified through the set deviceconfig setting global-protect timeout configuration mode CLI command.

Fixed an issue where the VM-Series firewall for NSX randomly disrupted traffic due to high CPU usage by the pan_task process.

Fixed an issue where the firewall dataplane restarted, disrupting traffic, because the all_pktproc process stopped responding when the firewall decoded HTTP message bodies with chunked transfer encoding or gzip-compressed data.

A security-related fix was made to prevent a Cross-Site Scripting (XSS) vulnerability in a PAN-OS web interface administration page (CVE-2018-9337).

Fixed an issue where firewalls in an active/passive HA configuration took longer than expected to fail over after you configured them to redistribute routes between an Interior Gateway Protocol (IGP) and Border Gateway Protocol (BGP).

Fixed an issue on PA-5000 Series firewalls where multicast traffic failed because PAN-OS did not remove stale sessions from the hardware session offload processor.

Fixed an issue where you could not export certificates when you accessed the firewall web interface through Firefox v56, Chrome v66, or later versions of either browser (Device > Certificate Management > Certificates > Device Certificates).

Fixed an issue on firewalls in an active/passive HA configuration with link or path monitoring enabled where a failover resulting from a link or path failure intermittently caused the deletion of host, connected, static, and dynamic routes (both OSPF and BGP) from the forwarding information base (FIB) on the firewall peer that became active. The failover also caused intermittent sending of unnecessary BGP withdrawal messages to BGP peers. With this fix, you can prevent these issues by using the new set system setting delay-interface-process interface <interface-name> delay <0-5000> CLI command (default is 0ms; range is 0 to 5000ms). This command specifies a delay period—after a link fails and before the firewall brings down its associated interface—to provide enough time after failover for the newly active firewall HA peer to become fully active and to synchronize the correct route information with its peer. In most deployments, the best practice is to set the delay to a period that is greater than the sum of the Promotion Hold Time (default 2000ms) and Monitor Fail Hold Up Time (default 0ms).

Fixed an issue where numerous simultaneous LDAP connections (in the order of tens or more) caused the connections between firewalls and User-ID™ agents to become stuck in the connecting state.

Fixed an issue where, after using a Panorama management server running PAN-OS 7.1 to Force Template Values when pushing device group or template configurations to firewalls running an earlier PAN-OS release, FQDN refreshes failed on the firewalls.

Fixed an issue on the Panorama management server and firewall where, after you added new administrator accounts and those administrators logged in, the administrative roles you assigned to those accounts had incomplete and therefore invalid configurations.

Fixed an issue where firewalls in an active/passive HA configuration with OSPF or BGP graceful restart enabled took longer than expected to fail over.

Fixed an issue on firewalls in an active/passive HA configuration where a link-monitoring failure caused a delay in OSPF convergence on the firewall that became active after HA failover.

Fixed an issue where the GlobalProtect gateway did not establish an IPSec VPN tunnel with a peer after you Enable X-Auth Support without specifying a Group Name or Group Password (Network > GlobalProtect > Gateways > <gateway> > Agent > Tunnel Settings). With this fix, commits fail with a validation error when you Enable X-Auth Support without specifying a Group Name and Group Password.

Fixed an intermittent issue where the firewall failed to refresh group-mapping information because a group-mapping query job (show user group-mapping-service query all) stalled.