End-of-Life (EoL)
PAN-OS 7.1.4 Addressed Issues
PAN-OS® 7.1.4 addressed issues
The following table lists the issues that are addressed
in the PAN-OS® 7.1.4 release. For new features, associated software
versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information.
Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Issue ID | Description |
|---|---|
99996 | Fixed an issue where the GlobalProtect agent
was unable to retrieve an SCEP-issued user certificate because the
firewall sent an invalid response to the agent, which caused the
agent to stop responding. With this fix, the firewall sends responses
that can be handled by the agent. |
PAN-59258 98112 | Fixed an issue on firewalls in an HA active/active
configuration where session timeouts for some traffic were unexpectedly
refreshed after a commit or HA sync attempt. However, in PAN-OS
7.1.4, this issue is fixed only for an HA pair where both peers
are running a PAN-OS 7.1 release; this issue is not fixed in a configuration
where one firewall is running a PAN-OS 7.1 release and the other
is running a PAN-OS 7.0 or earlier release. |
98164 | Fixed an issue on firewalls where, if you deleted
the proxy server configuration for the AutoFocus service, the configuration
remained. |
97763 | Fixed an issue where a PA-200 firewall failed
to download a PAN-OS software update due to an incorrect disk space
calculation. |
97734 | Fixed an issue where the GlobalProtect pre-logon
VPN failed to establish because the firewall prepended the domain
name to pre-logon user. |
97689 | Fixed an issue where firewalls stopped responding
because dynamic IPSec peers sent X509_SUBJECT in the Internet Key
Exchange (IKE) payload during Phase 1 negotiation. |
97625 | Fixed an issue on VM-Series firewalls running
on Amazon Web Services (AWS) where a process (devsrvr) stopped responding
after activating the BrightCloud URL filtering license. |
97583 | Fixed an issue where, with SSL Forward Proxy
Decryption enabled, the firewall displayed an expired certificate
error page to end users even though the certificate chain was valid
because there was an expired certificate on the firewall that was
not part of the chain. With this fix, the firewall does not display
the misleading error page. |
97571 | Fixed an issue where reusing previous port
information (tcp-reuse) for new sessions caused traffic in those
sessions to be dropped. |
97549 | Fixed an issue on PA-7000 Series firewalls
where the system log message Syslog connection failed to server
appeared repeatedly on the passive firewall of an active/passive
pair when the error condition was not present. With this fix, the
firewall does not display the log message under incorrect conditions. |
97466 | Fixed an issue where a TCP reassembly failure
for a reused TCP session prevented users from accessing Windows
Server 2012 sites and applications. |
97424 | Fixed an issue where firewalls delayed SSL
traffic when unable to resolve the URL category because the Server
Certificate Hostname contained a colon character that the firewall
interpreted as a delimiter for a port number. |
97357 | Fixed an issue where a process (l3svc) stopped
responding while processing captive portal requests that did not
have query arguments. |
97247 | Fixed an issue where a PA-200 firewall failed
to download a content update due to disk space issues after a failed
antivirus update installation. With this fix, the firewall will,
as part of the update installation process, clean up all temporary
files even if the update installation fails. |
97160 | Fixed an issue where a firewall failed to upgrade
to a PAN-OS 7.1 release—or where a firewall running a PAN-OS 7.1
release failed to update to a new content release version—and started
rebooting repeatedly. This issue occurred when the firewall configuration
included an application risk override and the update or upgrade
changed that overridden application to a container (<application>-base).
With this fix, the upgrade or update is successful even if an update
or upgrade changes an overridden application to a container. |
97113 | Fixed an issue where a filter (url contains)
failed to return results from the URL filtering logs if it contained
a generic domain like com or org. With this fix, filters such as
nytimes.com and nytimes will return equivalent results. |
97099 | Fixed an issue where, after importing the configuration
from a Panorama M-100 appliance to a Panorama M-500 appliance, you
could not select the existing security profiles and log-forwarding
profiles. |
97063 | Fixed an issue where User ID group mapping
stopped working due to a race condition. |
96937 | Fixed an issue where Panorama could not sync
to the NSX manager after a reboot or a failover, which caused a
service outage. With this fix, sync works as expected. |
96757 | Fixed an issue on Panorama where an administrator
lost access after trying to commit a Security policy rule that contained
an empty address group. |
96679 | Fixed an issue where the active-secondary firewall
of an HA active/active pair displayed the error message 502 Bad
gateway instead of an expected URL override page to end users. |
96422 | Fixed an issue where a Panorama administrator
with custom rights configuration could not access the commit window
because the window flashed and disappeared after the administrator
clicked the Commit button. With this fix, when an administrator
does not have privileges to access a commit function, Panorama displays
an error message that indicates access is denied. |
96415 | Fixed an issue where the firewall failed to
pass traffic in strongSwan and Azure IPSec tunnels while using IKEv2
because it did not send a Delete payload during a Phase 2 Child
SA re-keying. With this fix, the firewall correctly sends a Delete
payload during re-keying if it is the node that initiated the re-keying. |
96402 | Fixed an issue where a newly active firewall
in an HA active/passive pair lost the ability to send TCP SYN messages
to its BGP peers, which resulted in dropped traffic. |
96184 | Fixed an issue where the firewall stopped forwarding
logs and discarded logs even when incoming logging rate was low.
With this fix, the processing of logs is optimized to improve pre-matching
results, and CPU load is reduced to prevent the queue from becoming
full and discarding logs. |
96155 | Fixed an issue on VM-Series firewalls where
the passive firewall interface in an HA pair went down, even with
Passive Link State set to auto in the HA configuration. |
96082 | Fixed an issue where the firewall responded
to Microsoft network load balancing (MS-NLB) multicast packets by
incorrectly sending the multicast address as the source address. |
95978 | Fixed an issue where firewall did not send
all of the supported algorithms in the signature algorithm extension
of client hello when negotiating connections with some SSL sites
accessed from version 50 of the Chrome browser, which caused those
connection attempts to fail. |
95864 | Fixed an issue where the GlobalProtect portal
did not negotiate encryption algorithms correctly, which caused
errors on recent releases of browsers with newly available stricter
checking enabled. After this fix, the portal negotiates the correct
algorithms to eliminate browser errors. |
95846 | Fixed an issue where deleting the default administrator
account on the VM-Series firewall in AWS caused the firewall to
go into maintenance mode. This occurred because the firewall, to
reboot successfully, required the SSH key associated with the administrator
account (the private key— ssh-key —used to provision the firewall
in AWS). With this fix, as long as you first create another superuser
account on the firewall, you can delete the default administrator
account and the firewall will reboot successfully. |
95797 | Fixed an issue on Panorama where, if you selected
Group HA Peers, previously selected individual firewalls became
unselected, leaving only the most recently selected firewalls as
part of the grouping configuration. |
95723 | Fixed an issue where authentication failed
when you used secure encrypted cookies if you configured the GlobalProtect
portal or gateway to authenticate using an authentication sequence
and then specified a domain\user in the User/User Group settings
of the agent configuration. |
95622 | Security-related fixes were made to address
issues identified in the May 3, 2016 OpenSSL security advisory (PAN-SA-2016-0020). |
95604 | Fixed an issue where firewalls configured with
OSPFv3 adjacency and AH authentication header profiles failed to
establish full adjacency because the fragmented OSPFv3 packets failed
the AH authentication check. |
95591 | Fixed an issue where management server would
crash due to excessive printing of debug messages caused by a large
number of FQDN requests. |
95568 | Fixed an issue where configuration commits
on firewalls failed because improper handling of temporary files
related to HA sync for registered IP addresses consumed all available
space in the target (pancfg) disk partition. With this fix the firewall
eventually deletes temporary files so they don't accumulate and
consume disk space. |
95466 | Fixed an issue where Panorama displayed a false
commit warning that indicated a WildFire scheduled update time overlapped
with content updates (Applications, Threats, and Antivirus). With
this fix, PAN-OS correctly interprets the WildFire schedule update
time and prevents false commit warnings when scheduled update times
do not overlap. |
95039 | Fixed an issue on VM-Series firewalls where
traffic processing slowed down for two to three minutes after firewall
received a burst of packets on the HA2 data link. |
94922 | Fixed an issue where emails configured to use
the per-virtual system (vsys) SMTP service route were sent using
the global SMTP service route settings. With this fix, emails use
the configured virtual system SMTP service route. |
94820 | Fixed an issue on Panorama where the Adjust
Columns option in Panorama > Device Groups did not adjust columns
properly and caused fields to disappear from view. |
94615 | Fixed an issue on PA-7000 Series firewalls
where the designated Log Card interface did not transmit a gratuitous
ARP upon failover, which caused connectivity issues with neighboring
devices. |
94582 | Fixed an issue where, after you changed the
application risk value to a non-default value, the web interface
displayed the default value and you could only see the configured
value by selecting the application and viewing it manually. With
this fix, the firewall displays the configured value in the interface. |
94372 | Fixed an issue where the firewall truncated
user-group names when the name exceeded 150 characters. With this
fix, the firewall preserves the complete group name even if the
user-group name exceeds 150 characters, up to a maximum of 255 characters. |
94368 | Fixed an issue where, if you configured an
external dynamic lists file with comments indicated by forward slashes
(//), the firewall failed to load the file. |
94166 | Fixed an issue where, if you configured a NetFlow
profile under a virtual system (vsys), you could not assign the
NetFlow profile to a sub-interface part of same vsys. |
93921 | Fixed an issue where commits on Panorama failed
because a process (cord) stopped responding. |
93909 | Fixed an issue where, if the antivirus and
anti-spyware definition files for an application were not present,
the firewall validated host information profile (HIP) reports with
invalid dates. |
93540 | Fixed an issue where the read-only superuser
could not export a threat packet capture (pcap) file from the web
interface, which displayed a File not found message. |
93243 | Fixed an issue where a Security policy rule
pushed from Panorama could not be cloned locally on the firewall. |
92762 | Fixed an issue where, regardless of the configured
metric, OSPF preferred Type 2 external metrics over Type 1 external
metrics. |
92701 | Fixed an issue where Panorama displayed an
unauthorized request message to a device group and template administrator
when the administrator attempted to view shared device group policies. |
92621 | Fixed an issue where forwarded threat logs
used inconsistent formatting between the Request field and the PanOSReferer
field. With this fix, the PanOSReferer field uses double quotes
for consistency with the Request field. |
92527 | Fixed an issue where SSL Inbound Inspection
caused a packet buffer leak, leading to degraded performance. |
92523 | Fixed an issue where, for firewalls in an HA
active/active configuration, the predict session for an Oracle redirect
that synchronized to the peer device became stuck in the Opening
State because the parent session was not installed on the peer device.
With this fix, the firewall ensures the parent session is installed
on the peer device and the predict session for the Oracle redirect
transitions to active state to allow for successful Oracle client-to-server
communication. |
92472 | Fixed an issue where, during the connection
of a satellite to the GlobalProtect gateway, the Online Certificate
Status Protocol (OCSP) verification for the GlobalProtect certificate
failed because the OCSP response did not contain the signature certificate. |
92367 | Fixed an issue on Panorama where you could
not filter by device group when in the firewall device context. |
92106 | A security-related fix was made to address
multiple NTP vulnerabilities (PAN-SA-2016-0019). |
92008 | Fixed an issue where, if you used SNMP to check
the status of a tunnel interface, the firewall provided incorrect
information. |
91886 | A security-related fix was made to address
CVE-2015-7547 (PAN-SA-2016-0021). |
91885 | Fixed an issue where the log filter you can
create by clicking a value in the Destination Country or Source
Country column did not work when you chose a country name because
the filter string used the country name instead of the country code. |
91767 | Fixed an issue where adding objects such as
tags to Panorama using the XML API resulted in those objects not
being visible under Policies, Addresses, or Services. |
91492 | Fixed an issue where SSL decryption on firewalls
failed when the server presented a certificate chain that did not
have the expected extension in the root certificate even though
the firewall had the correct root certificate in its default trusted
CA store. |
91474 | Fixed an issue that prevented a firewall in
Common Criteria Evaluation Assurance Level 4 (EAL4) mode from connecting
to Panorama HA pair units in Common Criteria (CC) mode. |
91078 | Fixed an issue where the Reject Default Route
configuration did not work for OSPFv3, which resulted in network
outages. |
90992 | Fixed an intermittent issue where the initial
GlobalProtect client connection to a GlobalProtect portal or gateway
failed with the error: Valid client certificate is required. This
occurred when the certificate profile used CRL/OCSP to check certificate
validity and was due to a problem with the certificate not being
available in the dataplane cache. Subsequent connections worked
because the certificate was added to the cache during the initial
connection attempt. |
90777 | Fixed an issue where the firewall failed to
make the CLI configuration set authentication radius-vsa-on client-source-ip
persistent across system restart. |
90677 | Fixed an issue where the flow management (flow_mgmt)
process stopped responding, which caused the dataplane to restart. |
89891 | Fixed an issue where Threat logs forwarded
from the firewall had an extra colon when using TCP for the transport
protocol. With this fix, the format of forwarded logs over TCP and
UDP is consistent. |
88696 | Fixed an issue where, under certain conditions,
a process (mpreplay) frequently restarted due to excessive internal
messaging. |
87032 | Fixed an issue where firewalls and appliances
running Panorama 7.0 or later releases failed to display or download
reports received from firewalls running PAN-OS 6.1 or earlier releases. |
86916 | Fixed an issue where traffic bursts entering
a PA-3000 Series firewall caused short-term packet loss even though
the overall dataplane utilization remained low. This issue was typically
observed when two firewall interfaces on the same firewall were
connected to each other. With this fix, internal thresholds were
modified to prevent packet loss in these conditions. |
85878 | In response to an issue where DNS queries sometimes
caused a Log Collector to run too slowly and caused delays in log
processing, the debug management-server report-namelookup disable
CLI command is added to disable DNS lookups for reporting purposes. |
85484 | Fixed an intermittent issue where the GlobalProtect
portal used the cookie instead of the authentication information
provided by the GlobalProtect client, which caused authentication
to fail. With this fix, if a client connects using a cookie, the
GlobalProtect portal ignores the cookie in favor of the authentication
information provided by the GlobalProtect client so that authentication
is successful. |
85361 | Fixed an issue where, if you used the CLI to
input more than 126 addresses in an address group or 126 URLs in
an allow-list, the firewall did not apply the configuration. |
85160 | Fixed an issue where a firewall lost members
of a domain group after a failover from the primary to the secondary
LDAP server when the last modified timestamp for the group was not
the same on both servers. |
84949 | Fixed an issue where M-100 appliances in an
HA active/active configuration forwarded logs only to one syslog
server even though two syslog servers were defined. This issue occurred
only on the primary-secondary appliance and was due to an HA sync
issue. |
84711 | Fixed an intermittent issue where some packets
incorrectly matched Security policy rules, which resulted in App-ID™
policy lookup errors and discarding of packets. |
84496 | Fixed an issue on PA-7000 Series firewalls
where excessive or prolonged log queries caused a memory leak on
the Log Processing Card (LPC). |
84373 | Fixed an issue where Panorama generated an
error when a WildFire update was installed even though the download
and install were successful. |
84046 | Fixed an issue where SSL decryption failed
when a certificate was rejected due to a missing or empty basicConstraints
extension. With this fix, an exception is added to allow a missing
or empty basicConstraints extension for self-signed non-CA certificates,
and the following behaviors will be applied to CAs with regard to
basicConstraints extensions:
|
82138 | Fixed an issue where WildFire reports were
not displayed on the web interface when proxy settings were configured
for the management interface. |
80628 | Fixed an issue where WildFire content updates
showed timestamps with future dates. |
77822 | Fixed an issue where a VM-Series NSX edition
firewall sent Dynamic Address Group information only to the primary
virtual system (VSYS1) on the integrated physical firewall at the
data center perimeter. With this fix, a VM-Series NSX edition firewall
configured to Notify Device Group sends Dynamic Address Group updates
to all virtual systems on a physical firewall running PAN-OS 7.0.8
or a later PAN-OS 7.0 release. |
76197 | Fixed an issue where firewall Traffic logs
displayed unusually large byte counts for http-proxy and http-video
counters due to frequent application shifts between those application-type
packets within a single proxy session. |
Recommended For You
Recommended Videos
Recommended videos not found.
