End-of-Life (EoL)
PAN-OS 7.1.5 Addressed Issues
PAN-OS® 7.1.5 addressed issues
The following table lists the issues that are addressed
in the PAN-OS® 7.1.5 release. For new features, associated software
versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information.
Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues
and any newly addressed issues in these release notes are identified
using new issue ID numbers that include a product-specific prefix.
Issues addressed in earlier releases and any associated known issue
descriptions continue to use their original issue ID.
Issue ID | Description |
---|---|
PAN-63171 | Fixed an issue where, when using the GlobalProtect
agent on a Mac OS X endpoint, the connection from the agent to the
GlobalProtect gateway failed and the agent displayed the error Certificate
error. Restart the service?. |
PAN-63080 | Fixed an issue where, if you had a custom response
page that used a large binary object, a process (websrvr) stopped
responding, which caused the captive portal to not function. |
PAN-62803 | Fixed an issue where, if you configured GlobalProtect
to use certificate-based authentication, users on Chromebook endpoints received
prompts to log on using username and password. |
PAN-62773 | Fixed an issue on VM-Series firewalls in an
HA configuration where synchronization traffic lead to a condition
where the firewall stopped responding. |
PAN-62589 | Fixed an issue on Panorama where a stack configuration
was incomplete and failed with the error message Failed to create
configuration for template, even though the composing templates
had configuration entries present. |
PAN-62339 | Fixed an issue where a process (websrvr) restarted
repeatedly during captive portal redirects because the redirect
URL did not include required vsys and URL arguments. |
PAN-61818 | Fixed an issue where CPU utilization on the
dataplane was higher than expected. |
PAN-61815 | Fixed a rare issue where VM-Series firewalls
stopped generating traffic, threat or URL logs, or lost the ability
to resolve the URL category. |
PAN-61547 | Fixed an issue where a process (snmpd) had
a memory leak that caused frequent SNMP restarts. |
PAN-61521 | Fixed an issue on Panorama where, if you added
a User-ID agent to a template in a template stack, and one of the
templates in the stack did not have a User-ID agent specified, you
would lose User-ID agents from templates in the stack. |
PAN-61146 | Fixed an issue where, if you changed or refreshed
an FQDN configuration with a large number of IP address entries
(more than 32 IPV4 and IPV6 entries) in a single FQDN object, the
firewall or Panorama management server stopped responding. |
PAN-61046 | A security-related fix was made to address
a cross-site request forgery issue (PAN-SA-2016-0032). |
PAN-60872 | Fixed an issue where WildFire falsely identified
Microsoft Word files containing macros as suspicious. |
PAN-60830 | Fixed an issue on firewalls in an HA active-passive
pair where HA configuration sync failed. This issue occurred when
configuration sync from the active firewall happened while the passive
firewall was in a state where a local commit failed. With this fix,
configuration sync from the active firewall overwrites the configuration
on the passive firewall, and configuration sync succeeds. |
PAN-60828 | Fixed an issue where a process (l3svc) restarted
due to missing too many heartbeats, which caused the Captive Portal
to fail to trigger. |
PAN-60819 | Fixed an issue where the dataplane restarted
while processing a chain of tunnel packets. |
PAN-60667 | Fixed an issue where a process (devsrvr) restarted
repeatedly due to a problem with the internal URL cache structure. |
PAN-60587 | Fixed an issue where the firewall did not provide
a blocked page response if you accessed a blocked application over
HTTPS. |
PAN-60568 | A security-related change was made to address
a version disclosure in GlobalProtect (PAN-SA-2016-0026). |
PAN-60444 | Fixed an issue where SCEP enrollment failed
when parsing CA certificates sent by the Aruba ClearPass server. |
PAN-60002 | Fixed an issue where, if you configured virtual
routers with OSPF Type-5 external routes with non-zero forward addresses,
the routing tables of some virtual routers did not contain the routes.
With this fix, OSPF Type-5 external routes install as expected in
the virtual routers. |
PAN-59778 | Fixed an issue where, in very rare cases, the
firewall forwarded frames to incorrect ports because duplicate MAC
address entries were present in the offload processor MAC table.
With this fix, the offload processor will not have duplicate MAC
address entries in the MAC table. |
PAN-59704 | Fixed an issue on VM-Series firewalls where,
if path monitoring for HA used IPv6 addressing, the firewall used
the wrong IPv6 address and path monitoring checking failed. |
PAN-59634 | Fixed an issue in WildFire that led to a false
negative detection on a malicious file. With this fix, WildFire
detects malicious files that launch via powershell.exe. |
PAN-59565 | Fixed an issue where exported log files did
not correctly escape certain characters, such as commas (,), backslashes
(\), and equal-to operators (=). |
PAN-59470 | Fixed an issue where the firewall brought down
a tunnel that terminated at an IKE gateway configured for dynamic
IP addressing when the IP address of the gateway changed. With this
fix, the firewall does not bring down a tunnel if the IKE gateway
dynamic IP address changes. |
PAN-59451 | Fixed an issue where the captive portal response
page did not display the user's IP address as specified by the <user/>
variable in the HTML code for the page. |
PAN-59315 | Fixed an issue where a delay occurred on HA
failover following a control plane failure on the active firewall. |
PAN-5925 898112 | Fixed an issue on firewalls in an HA active/active
configuration where session timeouts for some traffic were unexpectedly
refreshed after a commit or HA sync attempt. However, in PAN-OS
7.1.4, this issue is fixed only for an HA pair where both peers
are running a PAN-OS 7.1 release; this issue is not fixed in a configuration
where one firewall is running a PAN-OS 7.1 release and the other
is running a PAN-OS 7.0 or earlier release. |
PAN-58896 | Fixed an issue where, if you used the CLI command
request system fqdn show to display FQDN objects, the firewall displayed
extra IP addresses that were not associated with the FQDN. |
PAN-58885 | Fixed an issue where dataplane CPU usage became
excessive. |
PAN-58816 | Fixed an issue where, if you configured multiple
virtual systems (Vsys) with non-consecutive identifying numbers,
an SNMP poll of the panVsysActiveSessions OID incorrectly showed
zero session values for some virtual systems. With this fix, SNMP
polling output is correct and matches the equivalent CLI output
of the same data. |
PAN-58657 | Fixed an issue on PA-7000 Series firewalls
where a slot stopped responding due to a memory condition. |
PAN-58322 | Fixed an issue where, if you monitored server
status from the user interface, the connection state appeared to
toggle between the connected and disconnected states even though
the server remained connected. This issue occurred for servers with
agentless user mapping when you selected Enable Session in Device
> User Identification > User Mapping > Palo Alto Networks User-ID
Agent Setup > Server Monitor. |
PAN-58086 | Fixed an issue where a process (devsrvr) restarted
if you committed a configuration that used more than 64 vendor IDs
in a single vulnerability protection rule. With this fix, if you
commit a configuration with more then 64 vendor IDs in a single
rule, you receive a warning that you have exceeded the maximum number
of IDs, and the process restart does not occur. |
PAN-57659 | A security-related fix was made to address
a cross-site scripting (XSS) condition in the web interface (PAN-SA-2016-0031). |
PAN-57464 | Fixed an issue where end users experienced
delays because the firewall sent an RST packet without an ACK flag
to the client. This issue occurred when the firewall applied a security
policy action of Reset Client or Reset Both. |
PAN-57383 | Fixed an issue where SSL decrypted traffic
that used an unsupported RSA key size of 16384 caused the dataplane
to restart. |
PAN-57323 | Fixed an issue where VPN traffic went into
a discard state because the firewall allowed packets to be sent
through the tunnel prior to the completion of the IKE Phase 2 re-key
process. |
PAN-57200 | Fixed an issue where you could not restart
certain firewall processes from the CLI without root access. With
this fix, you can now restart these processes (bfd, cryptod, dhcpd,
ikemgr, keymgr, and pppoed) using the CLI command debug software
restart process. See CLI Changes in PAN-OS 7.1 for more information. |
PAN-57054 | Fixed an issue where, if you redistributed
User-ID mapping information and the mapping used a timeout value
of NEVER, the firewall incorrectly changed the timeout value to
3600. |
PAN-56937 | Fixed an issue where, if you viewed a configuration
diff on the active Panorama server in an HA pair, a process (configd)
restarted on the passive Panorama server. |
PAN-56924 | Fixed an issue where Panorama incorrectly removed
the LDAP domain field when it pushed a template configuration to
a firewall running a PAN-OS 6.x release. This issue occurred in
a configuration where Panorama used a PAN-OS 7.x release and firewalls
used a mixture of PAN-OS 6.x and PAN-OS 7.x releases. |
PAN-56918 | Fixed an issue where firewalls did not recognize
malware that had been Base64 encoded in a zipped RTF file. This
issue occurred during an SMTP session. |
PAN-56650 | Fixed an issue where a log collector failed
to send the system log to the active Panorama peer in an HA active/passive
Panorama configuration after the active peer restarted. |
PAN-56580 | Fixed an issue where throughput in an IPSec
tunnel was lower than expected. With this fix, the firewall defaults
the DSCP field to 0 for ESP packets to improve performance. |
PAN-56456 | Fixed an issue where, if you implemented an
authorization profile for OSPF with MD5 authentication on a firewall
configured for FIPS-CC mode, the dataplane restarted. |
PAN-56438 | Fixed an issue where the internal value for
block time in the Denial of Service (DoS) table exceeded the configured
block time. This issue occurred on firewalls installed in an HA
configuration. |
PAN-56280 | Fixed an issue where the firewall displayed
the status of a 10G SFP+ virtual wire interface as 10000/full/up
when the configured state of the interface was auto/auto/down. This
issue occurred when Link State Pass Through in Network > Virtual
Wires was enabled. |
PAN-56221 | A security-related fix was made to address
a cross-site scripting (XSS) condition in the web interface (PAN-SA-2016-0033). |
PAN-56200 | Fixed an issue where the firewall allowed access
to the search engine's cached version of a web page even though
the page belonged to a URL category blocked by a policy. |
PAN-56034 | Fixed an issue where WildFire platforms experienced
nonresponsive processes and sudden restarts under certain clients'
traffic conditions. |
PAN-55996 | Fixed an issue where the dataplane restarted
when processing SSL packets with an oversized Layer 2 header. |
PAN-55993 | Fixed an issue where user authentication based
on user groups stopped working after you enabled the multiple virtual
systems (multi-vsys) feature. |
PAN-55560 | Fixed an issue where a memory condition caused
the dataplane to restart with the message Dataplane is down: too
many dataplane processes exited. |
PAN-55190 | Fixed an issue where the firewall failed to
resolved URLs on the dataplane. This issue occurred when an out-of-memory
error caused faults in the URL cache. With this fix, the firewall
handles out-of-memory errors correctly, allowing proper resolution
of URLs. |
PAN-54696 | Fixed an issue where incorrect handling of
selective-acknowledgment (SACK) packets caused a decrease in download
speeds on SSL-decrypted traffic. |
PAN-54309 | Fixed an issue in Panorama and where the default
value of Save User Credentials in Network > GlobalProtect > Portals
> GlobalProtect-portal-config > Agent > agent-config > Authentication
was No when it should have been Yes. |
PAN-54196 | Fixed an issue where the firewall did not increment
the packet identifier of RADIUS Access-Request packets as required
by the RFC standard. |
PAN-52379 | A security-related fix was made to address
CVE-2015-5364 and 2015-5366 (PAN-SA-2016-0025). |
PAN-52202 | Fixed an issue where Panorama, when configured
with a log collector, showed logs for a previous date and did not
refresh the log display to show the latest logs. |
PAN-49329 | Fixed an issue where a firewall configured
to block URL categories over HTTPS did not send a FIN/ACK to the
browser to close the connection after sending a block page. This
issue occurred for firewalls configured to perform NAT. |
Recommended For You
Recommended Videos
Recommended videos not found.