End-of-Life (EoL)

PAN-OS 7.1.3 Addressed Issues

PAN-OS® 7.1.3 addressed issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.3 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Issue ID
Description
98602
Fixed an issue where the Panorama management server had a memory increase due to syncing of WildFire reports from Panorama to log collectors.
97313
Fixed an issue where the management plane of Panorama M-100 and M-500 appliances stopped responding when renaming objects or Security policy rules due to memory corruption.
96792
Fixed an issue where commits failed due to a memory leak related to HA sync of the candidate configuration that caused the passive Panorama peer to stop responding.
96634
Fixed an issue where a certificate signing request (CSR) using Simple Certificate Enrollment Protocol (SCEP) over SSL failed due to buffer limit (signing over non-SSL worked correctly).
96140
Fixed an issue where disabling and importing local copies of Panorama policies and objects resulted in exclusion of Log Forwarding profile imports on multiple virtual systems (multi-vsys).
95747
VLAN tag translation is enhanced so that the firewall now preserves the Priority Code Point value (802.1P) in the Layer 2 VLAN tag field when receiving a frame on one VLAN Tag port and then forwarding it to another VLAN Tag port. See Changes to Default Behavior for more information about this enhancement in PAN-OS 7.1.3 and about further enhancements in PAN-OS 7.1.5.
95275
Fixed an issue where a role-based administrator could view unified logs under the Monitor tab but could not export these logs.
95133
Fixed an issue where firewall incorrectly applied Policy Based Forwarding (PBF) to sessions created via prediction (such as ftp-data sessions).
95047
Fixed an issue where PAN-OS log integration with AutoFocus did not use proxy server settings.
94930
Fixed an issue where firewall running on a VMware NSX edition firewall had incorrect address-group objects pushed via Panorama updates.
94914
Fixed an issue where a firewall running PAN-OS 7.1 failed to block HTTP-Video applications.
94790
Fixed an issue where dataplane CPU usage became excessive after upgrading from PAN-OS 7.0 to PAN-OS 7.1.
94765
Fixed an issue where NAT translation did not work as expected when the administrator deleted a virtual system (vsys) from a firewall with multiple virtual systems (multi-vsys) and NAT rules configured without first deleting NAT rules associated with the vsys. With this fix, when an administrator deletes a vsys, the firewall automatically deletes NAT rules associated with that vsys.
94573
Fixed an issue where a firewall dropped incoming PSH+ACK segments from the server.
94570
Fixed an issue where role-based Panorama administrators were unable to perform commits because the Commit dialog opened and immediately closed without allowing these administrators to modify, preview, or confirm their commit requests.
94533
Fixed an issue where Panorama pushed unused shared address objects to the firewall when the name of the object matched another pushed address object from the device group for that firewall even though the Share Unused Address and Service Objects with Devices option was unchecked.
94435
Fixed an issue where a firewall failed to learn of OSPF neighbors that were on interfaces configured with a maximum transmission unit (MTU) of 9216 because the OSPF database exchange could fail for jumbo packets.
94282
Fixed an issue on PA-7000 Series firewalls configured as HA pairs where, after the active firewall failed over to become the passive firewall, the newly passive firewall restarted with the error message: internal packet path monitoring failure . With this fix, the firewall will not restart after becoming passive.
94165
Fixed an issue where the firewall generated WildFire Submissions logs with an incorrect email subject and sender information when sending more than one email to a recipient in a POP3 session.
94136
Fixed an issue where a PA-200 firewall reported an antivirus update job as successful when the update downloaded without installing. With this fix, a larger timeout value allows the installation to complete.
94097
Fixed an issue where the firewall did not log email sender, receiver, or subject in WildFire Submissions log.
93783
Fixed an issue where autocommit failed if an administrator configured an IPSec tunnel using the manual-key method.
93778
Fixed a rare issue where a bind request from the firewall to the LDAP server failed.
93770
Fixed an issue where the firewall interpreted a truncated external dynamic list IP address (such as 8.8.8.8/) as 0.0.0.0/0 and blocked all traffic. With this fix, the firewall ignores incorrectly formatted IP address entries.
93729
Fixed an issue where SSH decryption caused a dataplane memory leak and restart.
93667
Fixed an issue where the GlobalProtect endpoint incorrectly failed the Host Information Profile (HIP) evaluation when there is an empty missing-patch tag in the HIP Report and the Check setting for patch management in HIP Objects criteria was set to has-all (Objects > GlobalProtect > HIP Objects > Patch Management > Criteria).
93458
Fixed an issue where WildFire platforms experienced non-responsive processes and sudden restarts under certain customer-specific traffic conditions.
93276
In PAN-OS 7.1.3 and later releases, the Application Command Center (ACC) includes the following usability enhancements:
  • You can Jump to Unified logs from an ACC widget; previously you could jump to all log types, except the Unified logs.
  • You can easily promote an IP address or a user as a global filter from a table within an ACC widget. The context drop-down that appears next to the value allows you to promote the users or IP address as a global filter.
93218
Fixed an issue where an administrator who is not a superuser was unable to view detailed configuration changes using Logs > Configuration. With this fix, administrators of all types are able to view detailed configuration changes.
92934
Fixed an issue where a firewall configured for DHCP relay (with multiple DHCP relays or in certain firewall virtual system configurations) rebroadcast a DHCP packet on the same interface that received the packet, which caused a broadcast storm. With this fix, the firewall drops duplicate broadcasts instead of retransmitting them.
92912
Fixed an issue on Panorama where an administrator received a File not found error when attempting to view a threat packet capture (pcap).
92684
Fixed an issue where a process (l3svc) stopped responding when processing a large number of user authentication requests.
92610
Fixed an issue on PA-200 firewalls where the firewall stalled during boot-up after an upgrade from PAN-OS 6.1.12 or an earlier PAN-OS 6.1 release to a PAN-OS 7.0 or later release.
92467
Fixed an issue on Panorama where exporting the device state failed if a running-config.xml file already existed in the target location, which resulted in one or more Server error messages. With this fix, the new device state file exports as expected.
91726
Fixed an issue where using the hold and resume features during a call resulted in one-way audio when the call manager or SIP proxy was in a different zone than either the called or the calling party.
91497
Fixed an issue where stale next-hop MAC entries persisted on the session offload processor after you modified a subinterface configuration, which caused SSH connections to fail. With this fix, the management plane cache no longer duplicates next-hop MAC entries, which prevents the stale entries that caused SSH connections to fail.
91269
Fixed an issue where the firewall restarted the dataplane after a process stopped responding.
91202
Fixed a user interface issue on firewalls and Panorama where searches on Correlated Events logs using classless subnets (for example, /21 instead of /24) failed to give the correct results.
91171
Fixed the issue where, if the firewall processed a high volume of BFD sessions for routing peers that use BGP, OSPF or RIP, and the firewall also processed a high volume of packets belonging to existing sessions that were not offloaded, the BFD sessions to those peers flapped when the firewall received a content update.
91086
Fixed an issue where PA-7000 Series firewalls experienced BGP disconnections because the firewall failed to send keepalive messages to neighbors within specified timers.
90691
Fixed an issue on firewalls running a PAN-OS 7.0 or later release where the web interface became inaccessible (502 bad gateway error) when sending a high rate of concurrent User-ID XML API POST requests.
90618
Fixed an issue on Panorama where creating an exemption for a threat name from the Threat log caused the web interface to display the exemption multiple times depending on the number of sub-device groups. After the fix, the interface correctly displays only one profile name.
90596
Fixed an issue on PA-5000 Series firewalls where the FPGA did not initialize. With this fix, the FPGA is automatically reprogrammed after an initialization failure so that it can attempt to reinitialize (multiple times) before triggering a boot failure.
90560
Fixed an issue where the firewall did not authenticate a syslog server's certificate signed by a trusted root certificate authority (CA) included in the predefined trusted root certificate list, which caused connection issues with syslog forwarding over SSL. With this fix, the firewall can authenticate the syslog server's certificate and can establish SSL connections.
90508
A security-related fix was made to address CVE-2016-0777 and CVE-2016-0778 (PAN-SA-2016-0011).
90326
Fixed an issue on PA-7000 Series firewalls where Botnet reports were not created consistently due to a log cleanup job that ran just before the Botnet reports were generated, which—on some days—resulted in empty or no Botnet reports. With this fix, the botnet log cleanup job takes place after the daily generation of Botnet reports so that daily reports are created and populated as expected.
90256
Fixed an issue where decrypted SSH sessions were not mirrored to the decrypt mirror interface as expected.
89984
A security-related fix was made to address a stack overflow condition (PAN-SA-2016-0024).
89551
Fixed an issue where User Activity Reports delivered via the Email Scheduler were empty if the username contained German language-specific characters.
89007
Fixed an issue where VM-Series firewalls deployed in AWS firewalls used UDP port 24946 for HA2 keep-alive packets instead of UDP port 29281.
88334
Fixed an issue where the firewall restarted unexpectedly when trying to delete a tunnel interface configuration.
88307
Fixed an issue where the dataplane restarted and dataplane processes stopped responding when passing SSH traffic using SSH decryption.
88194
Fixed an issue where Panorama did not log if the Force Template Values option was in the checked state when applying a template or Device Group commit. With this fix, the Panorama logs will indicate if the Force Template Values option is in the checked state when doing a template or Device Group commit.
88029
Fixed an issue where, after an upgrade, the firewall did not use the previously configured system-wide proxy configuration (Device > Setup > Services) for accessing the WildFire public cloud (PAN-OS 7.0 introduced a separate WildFire proxy configuration Device > Setup > WildFire). With this fix, the upgrade process automatically uses the previous proxy configuration when creating the WildFire public cloud configuration.
84461
Fixed a Panorama issue where the virtual memory for a process (configd) exceeded its allocation, which caused commit and HA sync attempts to fail.
83165 (PAN-49890)
Fixed an issue where exporting custom reports to CSV, XML, and PDF failed.
83008
Fixed an issue where VM-Series firewalls experienced packet loss. With this fix, an internal buffer is increased in size to prevent the packet loss.

Recommended For You