PAN-OS 7.1.2 Addressed Issues
PAN-OS® 7.1.2 addressed issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.2 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Fixed an issue where authentication failed on the GlobalProtect gateway because the client tried to authenticate using cookies with domain\user specified in the agent configuration.
Fixed an issue where the VLAN ID was added in the wrong location in the packet payload in Layer 2 deployments, which caused some applications to fail.
Fixed an issue where the User-ID (useridd) process stopped responding when encountering a custom URL category that included a space (" ") character in the category name.
Fixed an issue where strongSwan Linux VPN clients failed to connect to the GlobalProtect gateway because the firewall presented a server certificate that did not include a Common Name (CN) value.
Fixed an issue on firewalls that were upgraded from a PAN-OS 7.0 release to a PAN-OS 7.1 release where GlobalProtect prevented third-party IPSec (X-Auth) clients from connecting to the GlobalProtect gateway. With this fix, you can now upgrade from a PAN-OS 7.0 release to a PAN-OS 7.1.2 or later release to prevent this issue.
If your GlobalProtect firewall is already running a PAN-OS 7.1.0 or 7.1.1 release, you must downgrade to a PAN-OS 7.0 release before upgrading to a PAN-OS 7.1.2 or later release to prevent this issue from occurring after the upgrade.
Fixed an issue where the firewall failed to connect to AutoFocus unless you manually re-entered the URL in the AutoFocus settings (Device > Setup > Management) even though the URL was correctly pre-configured. With this fix, the firewall connects to AutoFocus as expected using the prepopulated AutoFocus URL.
Fixed an issue where commits failed if you configured two proxy IDs on a single tunnel using the same source, destination subnets, and protocol because the proxy IDs appeared to be duplicates of each other even though they were configured with different ports. With this fix, the firewall also uses the port value when determining whether proxy IDs are unique or duplicates.
Fixed an issue where Panorama™ Device Group and Template administrators were unable to perform commits because the Commit dialog opened and immediately closed without allowing administrators to modify, preview, or confirm their commit requests.
Fixed an issue where configurations pushed from Panorama running a 7.1 release to a firewall running PAN-OS 7.0 or earlier release incorrectly deleted the gateway configuration even when address objects were not included in the pushed configuration. With this fix, the gateway configuration is deleted only when the pushed configuration includes address objects.
Fixed an issue where predefined URL categories were not populated in Security and Decryption policy rules as expected when using BrightCloud as the URL database.
Fixed an issue were a process (configd or mgmtsrvr) restarted due to the use of special characters (such as a bracket character—" [ " or " ] "—in a search field (for example, in the Address section).
Fixed an issue where you were unable to deploy a VM-Series firewall using a VHD exported from an existing VM-Series firewall in Azure.
Fixed an issue on an M-100 appliance in Log Collector mode where locally-created proxy configurations were lost when a commit was performed from Panorama. With this fix, locally-created proxy configurations persist after a Panorama commit.
Fixed an issue where the DNS proxy template object that was pushed from Panorama did not override that object on the firewall as expected.
Fixed an issue where packet diagnostics failed due to an unnecessarily large debug log related to HA3 packet forwarding.
Fixed an issue on PA-3000 Series firewalls where processing jumbo frames that were larger than 7,000 bytes during a period of heavy traffic caused the FPGA to stop responding. With this fix, the FPGA thresholds are adjusted to correctly handle up to 9KB jumbo frames.
A security-related fix was made to address a privilege escalation issue (PAN-SA-2016-0015).
Fixed an issue where the web interface and CLI reported that configurations were out of sync between HA peers even when the peers were in sync. With this fix, sync status is reported correctly.
Fixed an issue where a process (logrcvr) stopped responding and restarted repeatedly after an upgrade to content release version 571, which caused the firewall to reboot. Content release version 572 mitigated this issue but this fix ensures that firewalls running PAN-OS 7.1.2 or later releases will not be affected by this issue.
Fixed an issue where the API browser displayed the incorrect XML API syntax for the show arp all command.
Fixed an issue on firewalls and Panorama running a 7.1.0 or 7.1.1 release where the firewall mgmtsrvr or Panorama reportd process stopped responding and caused the process to restart after displaying the following message: SYSTEM ALERT : critical : mgmtsrvr (or reportd) - virtual memory limit exceeded, restarting . This issue was caused by a memory leak that occurred when viewing logs of single log types (such as Traffic or Threat).
Fixed an issue where ACC logs did not resolve IP addresses to FQDN under destination IP activity.
Fixed an issue where the firewall did not properly process active FTP data sessions if the FTP client reused—within a short period of time—the destination port number that was negotiated in the FTP control session.
PAN-OS 7.1.2 and later releases are enhanced to prevent an issue where multiple SFP+ ports coming up at the same time resulted in a race condition that caused ports to enter a re-initialization phase that added several seconds delay before ports came up.
Fixed an issue on PA-7050 firewalls in an HA active/active configuration where jumbo frames that included the DF (do not fragment) bit were dropped when crossing dedicated HA3 ports.
Fixed an issue on Panorama where the Administrator Use Only option (Template > Device > Radius Profile) was not displayed in the web interface.
Fixed an issue where commits failed due to a validation error that occurred when Panorama pushed Authentication Sequence profiles that included a virtual system that was not migrated properly during an upgrade from a Panorama 6.1 release to a Panorama 7.0 or later release.
Fixed an issue where the Comodo® RSA certificate authority (CA) was not included in the default trusted root on the firewall, which caused SSL decryption to fail on sites using this as their CA.
Fixed an issue on Panorama (virtual and M-Series appliances) where a process (configd) stopped responding when triggering a commit very soon after a reboot and before a database required for the commit process was ready for use. Additionally, administrators received an error message (Administrator does not have access to any device-group data) when they attempted to view Monitor > Logs information or ACC information on the Panorama web interface before the database was ready. With this fix, this database loads faster so that commits and attempts to view Monitor > Logs and ACC information are successful even when attempted immediately following a reboot of Panorama.
A security-related change was made to address a boundary check that caused a service disruption of the captive portal (PAN-SA-2016-0013).
Fixed an issue where firewall Traffic logs displayed unusually large byte counts for sessions passing through proxy servers.
Fixed an issue where an administrator with read-only privilege was unable to export Correlated Events logs in CSV format.
Fixed an issue on a PA-3000 Series firewall running a PAN-OS 7.0.1 or later release with zone protection configured to drop fragmented traffic where outgoing OSPF DB Description packets were fragmented and subsequently dropped, which caused the OSPF neighbor status to get stuck in Exchange state.
Fixed an issue where the set application dump on rule CLI command did not work for Security policy rules pushed to firewalls from Panorama.
Fixed an issue where a Panorama process (configd) stopped responding when trying to add tags to multiple firewalls at the same time.
Fixed an issue where an autocommit of an incremental antivirus update failed after a reload due to a corrupt virus signatures file and a failed incremental installation. With this fix, incremental content installation has enhanced protections to prevent autocommit failures, and will log additional information to assist with troubleshooting.
Fixed an issue where the simultaneous transfer of large files from two different SMB servers over a GlobalProtect connection from a Windows 8 client caused the connection to fail. With this fix, you can enable heuristics on Windows 8 clients or set the tunnel interface MTU size to 1,300 to avoid this issue.
Fixed an issue where an out-of-sequence packet was passed through the firewall.
Fixed an issue on Panorama where performing log queries and reports resulted in incorrect reporting of multiple Panorama logged-in administrators on PA-7000 firewalls.
Fixed an issue on a VM-Series firewall where an ungraceful reboot caused Dynamic IP address information to get out of sync.
Fixed an issue where the dialog for creating certificates and the dialog for editing certificates had different character limits for the certificate name. With this fix, the certificate name field in both dialogs allows up to 63 characters.
Fixed an issue where unused shared objects were calculated incorrectly during a commit from Panorama due to address and service name overlaps.
Fixed an issue where log forwarding in Panorama failed when using syslog over TCP.
Fixed an issue where a GlobalProtect gateway rejected the same routes learned from different LSVPN satellites when the routes were destined for a different virtual router.
Fixed an issue where PAN-OS 7.1 images failed to bootstrap a firewall if the bootstrapping tarball package was created using a Mac OS (BSD-based tar format). With this fix, you can bootstrap firewalls with PAN-OS 7.1.2 or later release images using a BSD-based tarball created using a Mac OS.
Fixed an issue where SSL inbound decryption failed when a client sent a ClientHello with TLS 1.2 while the server supported only TLS 1.0.
Fixed an issue where DNS resolution failed when message compression was disabled on the DNS server, which resulted in case mismatch between CNAME query and answer values in DNS server replies. With this fix, the firewall ignores case in CNAME values so that query and answer values match and DNS requests resolve successfully.
Fixed an issue where you could not display interface QoS counters when the CLI output mode was set to op-command-xml-output .
Fixed an issue with reduced throughput for traffic originating on the firewall and traversing a VPN tunnel.
Fixed an issue where Traffic logs reported cumulative bytes for sessions with TCP port reuse, which caused custom reports to incorrectly report the byte count.
Fixed an issue on a firewall where a process (sslvpn) repeatedly restarted due to an internal thread synchronization issue.
Fixed an issue where some DNS requests were forwarded to the wrong DNS server—the one previously but no longer configured on the firewall.
Fixed an issue where destination-based service routes did not work for RADIUS authentication servers.
Fixed an issue where multiple QoS changes while under a heavy load caused the dataplane to restart.
Fixed an issue with the web interface where uncommitted IPSec proxy ID details were unexpectedly deleted prior to commit.
Fixed an issue where the firewall did not present the URL block page as expected when proxied request from client used CONNECT method.
Fixed an issue on a firewall with an expired BrightCloud license where the specified vendor was unexpectedly and automatically changed from BrightCloud to PAN-DB when any feature auth code was pushed from Panorama to the firewall.
Fixed an issue where voltage alarms were triggered incorrectly (voltage was within the appropriate range).
A security-related fix was made to address CVE-2015-0235.
Fixed an issue where firewalls running PAN-OS 7.0 and earlier releases did not update FQDN entries unless you enabled the DNS proxy caching option (Network > DNS Proxy > < DNS Proxy config > > Advanced).
Recommended For You
Recommended videos not found.