End-of-Life (EoL)

PAN-OS 7.1.20 Addressed Issues

PAN-OS® 7.1.20 addressed issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.20 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue ID
A security-related fix was made to address the FragmentSmack vulnerability (CVE-2018-5391 / PAN-SA-2018-0012).
Fixed an issue with dataplane restarts on PA-5000 Series firewalls when multicast traffic matched a stale session on the offload processor that was not cleared as expected.
The following PA-7000 Series NPCs only: PA-7000-20G-NPC, PA-7000-20GQ-NPC, PA-7000-20GXM-NPC, PA-7000-20GQXM-NPC
) Fixed an issue where an egress buffer overflow that impacted internal packet path monitoring caused a high availability (HA) failover.
Additionally, enhancements were made to flow control communication between the traffic manager and flow engine components to improve system stability during periods of heavy traffic.
Fixed an issue where Panorama pushed stale Dynamic Address Group updates when Panorama received most of the updates from an NSX manager that contained multiple updates for the same Dynamic Address Group.
Fixed an issue where the second virtual system (vsys) sent TCP traffic that was out-of-order when that second vsys controlled the proxy session in a multi-vsys configuration.
Fixed an issue where the firewall did not return Captive Portal response pages as expected due to depletion of file descriptors.
Fixed an issue where user-account group members in subgroups (n+1) were unnecessarily queried when nested level was set to n.
Fixed an issue where an administrator with the CLI Device Read privilege was able to discard a session that was revoked.
Fixed an issue where multicast FIB entries were inconsistent across dataplanes, which caused the firewall to intermittently drop multicast packets.
Fixed an issue where an API call resulted in an incorrect response.
Fixed an issue where a firewall forwarded a deleted or expired IP address-to-username mapping to another firewall through User-ID Redistribution but the receiving firewall still displayed the mapping as an active IP address-to-username mapping.
Fixed an issue where firewalls in an active/active HA configuration dropped packets in IPSec tunnel traffic because the secondary firewall didn't update the Encapsulating Security Payload (ESP) sequence number during failover.
Fixed an issue on a PA-5000 Series firewall configured to use an IPSec tunnel containing multiple proxy IDs (Network > IPSec Tunnels > <tunnel> > Proxy IDs) where the firewall dropped tunneled traffic after clear text sessions were established on a different dataplane than the first dataplane (DP0).
Fixed an issue where the firewall did not correctly enforce administrative account expiration settings (Device > Setup > Management > Minimum Password Complexity).
Fixed an issue where a firewall was able connect to Panorama using an expired certificate.
Fixed an issue on PA-7000 Series firewalls where users failed to authenticate when the Captive Portal host session incorrectly timed out after 5 seconds.
Fixed an issue in Panorama templates where the Panorama management server allowed you to configure a firewall administrator Password (Device > Administrators > <administrator>) that did not meet the minimum password length settings (Device > Setup > Management > Minimum Password Complexity). With this fix, Panorama prevents you from saving a firewall administrator account with a password that does not meet the minimum password length settings.

Recommended For You