PAN-OS 7.1.3 Addressed Issues
PAN-OS® 7.1.3 addressed issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.3 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Fixed an issue where the Panorama management server had a memory increase due to syncing of WildFire reports from Panorama to log collectors.
Fixed an issue where the management plane of Panorama M-100 and M-500 appliances stopped responding when renaming objects or Security policy rules due to memory corruption.
Fixed an issue where commits failed due to a memory leak related to HA sync of the candidate configuration that caused the passive Panorama peer to stop responding.
Fixed an issue where a certificate signing request (CSR) using Simple Certificate Enrollment Protocol (SCEP) over SSL failed due to buffer limit (signing over non-SSL worked correctly).
Fixed an issue where disabling and importing local copies of Panorama policies and objects resulted in exclusion of Log Forwarding profile imports on multiple virtual systems (multi-vsys).
VLAN tag translation is enhanced so that the firewall now preserves the Priority Code Point value (802.1P) in the Layer 2 VLAN tag field when receiving a frame on one VLAN Tag port and then forwarding it to another VLAN Tag port. See Changes to Default Behavior for more information about this enhancement in PAN-OS 7.1.3 and about further enhancements in PAN-OS 7.1.5.
Fixed an issue where a role-based administrator could view unified logs under the Monitor tab but could not export these logs.
Fixed an issue where firewall incorrectly applied Policy Based Forwarding (PBF) to sessions created via prediction (such as ftp-data sessions).
Fixed an issue where PAN-OS log integration with AutoFocus did not use proxy server settings.
Fixed an issue where firewall running on a VMware NSX edition firewall had incorrect address-group objects pushed via Panorama updates.
Fixed an issue where a firewall running PAN-OS 7.1 failed to block HTTP-Video applications.
Fixed an issue where dataplane CPU usage became excessive after upgrading from PAN-OS 7.0 to PAN-OS 7.1.
Fixed an issue where NAT translation did not work as expected when the administrator deleted a virtual system (vsys) from a firewall with multiple virtual systems (multi-vsys) and NAT rules configured without first deleting NAT rules associated with the vsys. With this fix, when an administrator deletes a vsys, the firewall automatically deletes NAT rules associated with that vsys.
Fixed an issue where a firewall dropped incoming PSH+ACK segments from the server.
Fixed an issue where role-based Panorama administrators were unable to perform commits because the Commit dialog opened and immediately closed without allowing these administrators to modify, preview, or confirm their commit requests.
Fixed an issue where Panorama pushed unused shared address objects to the firewall when the name of the object matched another pushed address object from the device group for that firewall even though the Share Unused Address and Service Objects with Devices option was unchecked.
Fixed an issue where a firewall failed to learn of OSPF neighbors that were on interfaces configured with a maximum transmission unit (MTU) of 9216 because the OSPF database exchange could fail for jumbo packets.
Fixed an issue on PA-7000 Series firewalls configured as HA pairs where, after the active firewall failed over to become the passive firewall, the newly passive firewall restarted with the error message: internal packet path monitoring failure . With this fix, the firewall will not restart after becoming passive.
Fixed an issue where the firewall generated WildFire Submissions logs with an incorrect email subject and sender information when sending more than one email to a recipient in a POP3 session.
Fixed an issue where a PA-200 firewall reported an antivirus update job as successful when the update downloaded without installing. With this fix, a larger timeout value allows the installation to complete.
Fixed an issue where the firewall did not log email sender, receiver, or subject in WildFire Submissions log.
Fixed an issue where autocommit failed if an administrator configured an IPSec tunnel using the manual-key method.
Fixed a rare issue where a bind request from the firewall to the LDAP server failed.
Fixed an issue where the firewall interpreted a truncated external dynamic list IP address (such as 126.96.36.199/) as 0.0.0.0/0 and blocked all traffic. With this fix, the firewall ignores incorrectly formatted IP address entries.
Fixed an issue where SSH decryption caused a dataplane memory leak and restart.
Fixed an issue where the GlobalProtect endpoint incorrectly failed the Host Information Profile (HIP) evaluation when there is an empty missing-patch tag in the HIP Report and the Check setting for patch management in HIP Objects criteria was set to has-all (Objects > GlobalProtect > HIP Objects > Patch Management > Criteria).
Fixed an issue where WildFire platforms experienced non-responsive processes and sudden restarts under certain customer-specific traffic conditions.
In PAN-OS 7.1.3 and later releases, the Application Command Center (ACC) includes the following usability enhancements:
Fixed an issue where an administrator who is not a superuser was unable to view detailed configuration changes using Logs > Configuration. With this fix, administrators of all types are able to view detailed configuration changes.
Fixed an issue where a firewall configured for DHCP relay (with multiple DHCP relays or in certain firewall virtual system configurations) rebroadcast a DHCP packet on the same interface that received the packet, which caused a broadcast storm. With this fix, the firewall drops duplicate broadcasts instead of retransmitting them.
Fixed an issue on Panorama where an administrator received a File not found error when attempting to view a threat packet capture (pcap).
Fixed an issue where a process (l3svc) stopped responding when processing a large number of user authentication requests.
Fixed an issue on PA-200 firewalls where the firewall stalled during boot-up after an upgrade from PAN-OS 6.1.12 or an earlier PAN-OS 6.1 release to a PAN-OS 7.0 or later release.
Fixed an issue on Panorama where exporting the device state failed if a running-config.xml file already existed in the target location, which resulted in one or more Server error messages. With this fix, the new device state file exports as expected.
Fixed an issue where using the hold and resume features during a call resulted in one-way audio when the call manager or SIP proxy was in a different zone than either the called or the calling party.
Fixed an issue where stale next-hop MAC entries persisted on the session offload processor after you modified a subinterface configuration, which caused SSH connections to fail. With this fix, the management plane cache no longer duplicates next-hop MAC entries, which prevents the stale entries that caused SSH connections to fail.
Fixed an issue where the firewall restarted the dataplane after a process stopped responding.
Fixed a user interface issue on firewalls and Panorama where searches on Correlated Events logs using classless subnets (for example, /21 instead of /24) failed to give the correct results.
Fixed the issue where, if the firewall processed a high volume of BFD sessions for routing peers that use BGP, OSPF or RIP, and the firewall also processed a high volume of packets belonging to existing sessions that were not offloaded, the BFD sessions to those peers flapped when the firewall received a content update.
Fixed an issue where PA-7000 Series firewalls experienced BGP disconnections because the firewall failed to send keepalive messages to neighbors within specified timers.
Fixed an issue on firewalls running a PAN-OS 7.0 or later release where the web interface became inaccessible (502 bad gateway error) when sending a high rate of concurrent User-ID XML API POST requests.
Fixed an issue on Panorama where creating an exemption for a threat name from the Threat log caused the web interface to display the exemption multiple times depending on the number of sub-device groups. After the fix, the interface correctly displays only one profile name.
Fixed an issue on PA-5000 Series firewalls where the FPGA did not initialize. With this fix, the FPGA is automatically reprogrammed after an initialization failure so that it can attempt to reinitialize (multiple times) before triggering a boot failure.
Fixed an issue where the firewall did not authenticate a syslog server's certificate signed by a trusted root certificate authority (CA) included in the predefined trusted root certificate list, which caused connection issues with syslog forwarding over SSL. With this fix, the firewall can authenticate the syslog server's certificate and can establish SSL connections.
A security-related fix was made to address CVE-2016-0777 and CVE-2016-0778 (PAN-SA-2016-0011).
Fixed an issue on PA-7000 Series firewalls where Botnet reports were not created consistently due to a log cleanup job that ran just before the Botnet reports were generated, which—on some days—resulted in empty or no Botnet reports. With this fix, the botnet log cleanup job takes place after the daily generation of Botnet reports so that daily reports are created and populated as expected.
Fixed an issue where decrypted SSH sessions were not mirrored to the decrypt mirror interface as expected.
A security-related fix was made to address a stack overflow condition (PAN-SA-2016-0024).
Fixed an issue where User Activity Reports delivered via the Email Scheduler were empty if the username contained German language-specific characters.
Fixed an issue where VM-Series firewalls deployed in AWS firewalls used UDP port 24946 for HA2 keep-alive packets instead of UDP port 29281.
Fixed an issue where the firewall restarted unexpectedly when trying to delete a tunnel interface configuration.
Fixed an issue where the dataplane restarted and dataplane processes stopped responding when passing SSH traffic using SSH decryption.
Fixed an issue where Panorama did not log if the Force Template Values option was in the checked state when applying a template or Device Group commit. With this fix, the Panorama logs will indicate if the Force Template Values option is in the checked state when doing a template or Device Group commit.
Fixed an issue where, after an upgrade, the firewall did not use the previously configured system-wide proxy configuration (Device > Setup > Services) for accessing the WildFire public cloud (PAN-OS 7.0 introduced a separate WildFire proxy configuration Device > Setup > WildFire). With this fix, the upgrade process automatically uses the previous proxy configuration when creating the WildFire public cloud configuration.
Fixed a Panorama issue where the virtual memory for a process (configd) exceeded its allocation, which caused commit and HA sync attempts to fail.
Fixed an issue where exporting custom reports to CSV, XML, and PDF failed.
Fixed an issue where VM-Series firewalls experienced packet loss. With this fix, an internal buffer is increased in size to prevent the packet loss.
Recommended For You
Recommended videos not found.