End-of-Life (EoL)

PAN-OS 7.1.5 Addressed Issues

PAN-OS® 7.1.5 addressed issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.5 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue ID
Fixed an issue where, when using the GlobalProtect agent on a Mac OS X endpoint, the connection from the agent to the GlobalProtect gateway failed and the agent displayed the error Certificate error. Restart the service?.
Fixed an issue where, if you had a custom response page that used a large binary object, a process (websrvr) stopped responding, which caused the captive portal to not function.
Fixed an issue where, if you configured GlobalProtect to use certificate-based authentication, users on Chromebook endpoints received prompts to log on using username and password.
Fixed an issue on VM-Series firewalls in an HA configuration where synchronization traffic lead to a condition where the firewall stopped responding.
Fixed an issue on Panorama where a stack configuration was incomplete and failed with the error message Failed to create configuration for template, even though the composing templates had configuration entries present.
Fixed an issue where a process (websrvr) restarted repeatedly during captive portal redirects because the redirect URL did not include required vsys and URL arguments.
Fixed an issue where CPU utilization on the dataplane was higher than expected.
Fixed a rare issue where VM-Series firewalls stopped generating traffic, threat or URL logs, or lost the ability to resolve the URL category.
Fixed an issue where a process (snmpd) had a memory leak that caused frequent SNMP restarts.
Fixed an issue on Panorama where, if you added a User-ID agent to a template in a template stack, and one of the templates in the stack did not have a User-ID agent specified, you would lose User-ID agents from templates in the stack.
Fixed an issue where, if you changed or refreshed an FQDN configuration with a large number of IP address entries (more than 32 IPV4 and IPV6 entries) in a single FQDN object, the firewall or Panorama management server stopped responding.
A security-related fix was made to address a cross-site request forgery issue (PAN-SA-2016-0032).
Fixed an issue where WildFire falsely identified Microsoft Word files containing macros as suspicious.
Fixed an issue on firewalls in an HA active-passive pair where HA configuration sync failed. This issue occurred when configuration sync from the active firewall happened while the passive firewall was in a state where a local commit failed. With this fix, configuration sync from the active firewall overwrites the configuration on the passive firewall, and configuration sync succeeds.
Fixed an issue where a process (l3svc) restarted due to missing too many heartbeats, which caused the Captive Portal to fail to trigger.
Fixed an issue where the dataplane restarted while processing a chain of tunnel packets.
Fixed an issue where a process (devsrvr) restarted repeatedly due to a problem with the internal URL cache structure.
Fixed an issue where the firewall did not provide a blocked page response if you accessed a blocked application over HTTPS.
A security-related change was made to address a version disclosure in GlobalProtect (PAN-SA-2016-0026).
Fixed an issue where SCEP enrollment failed when parsing CA certificates sent by the Aruba ClearPass server.
Fixed an issue where, if you configured virtual routers with OSPF Type-5 external routes with non-zero forward addresses, the routing tables of some virtual routers did not contain the routes. With this fix, OSPF Type-5 external routes install as expected in the virtual routers.
Fixed an issue where, in very rare cases, the firewall forwarded frames to incorrect ports because duplicate MAC address entries were present in the offload processor MAC table. With this fix, the offload processor will not have duplicate MAC address entries in the MAC table.
Fixed an issue on VM-Series firewalls where, if path monitoring for HA used IPv6 addressing, the firewall used the wrong IPv6 address and path monitoring checking failed.
Fixed an issue in WildFire that led to a false negative detection on a malicious file. With this fix, WildFire detects malicious files that launch via powershell.exe.
Fixed an issue where exported log files did not correctly escape certain characters, such as commas (,), backslashes (\), and equal-to operators (=).
Fixed an issue where the firewall brought down a tunnel that terminated at an IKE gateway configured for dynamic IP addressing when the IP address of the gateway changed. With this fix, the firewall does not bring down a tunnel if the IKE gateway dynamic IP address changes.
Fixed an issue where the captive portal response page did not display the user's IP address as specified by the <user/> variable in the HTML code for the page.
Fixed an issue where a delay occurred on HA failover following a control plane failure on the active firewall.
PAN-5925 898112
Fixed an issue on firewalls in an HA active/active configuration where session timeouts for some traffic were unexpectedly refreshed after a commit or HA sync attempt. However, in PAN-OS 7.1.4, this issue is fixed only for an HA pair where both peers are running a PAN-OS 7.1 release; this issue is not fixed in a configuration where one firewall is running a PAN-OS 7.1 release and the other is running a PAN-OS 7.0 or earlier release.
Fixed an issue where, if you used the CLI command request system fqdn show to display FQDN objects, the firewall displayed extra IP addresses that were not associated with the FQDN.
Fixed an issue where dataplane CPU usage became excessive.
Fixed an issue where, if you configured multiple virtual systems (Vsys) with non-consecutive identifying numbers, an SNMP poll of the panVsysActiveSessions OID incorrectly showed zero session values for some virtual systems. With this fix, SNMP polling output is correct and matches the equivalent CLI output of the same data.
Fixed an issue on PA-7000 Series firewalls where a slot stopped responding due to a memory condition.
Fixed an issue where, if you monitored server status from the user interface, the connection state appeared to toggle between the connected and disconnected states even though the server remained connected. This issue occurred for servers with agentless user mapping when you selected Enable Session in Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Server Monitor.
Fixed an issue where a process (devsrvr) restarted if you committed a configuration that used more than 64 vendor IDs in a single vulnerability protection rule. With this fix, if you commit a configuration with more then 64 vendor IDs in a single rule, you receive a warning that you have exceeded the maximum number of IDs, and the process restart does not occur.
A security-related fix was made to address a cross-site scripting (XSS) condition in the web interface (PAN-SA-2016-0031).
Fixed an issue where end users experienced delays because the firewall sent an RST packet without an ACK flag to the client. This issue occurred when the firewall applied a security policy action of Reset Client or Reset Both.
Fixed an issue where SSL decrypted traffic that used an unsupported RSA key size of 16384 caused the dataplane to restart.
Fixed an issue where VPN traffic went into a discard state because the firewall allowed packets to be sent through the tunnel prior to the completion of the IKE Phase 2 re-key process.
Fixed an issue where you could not restart certain firewall processes from the CLI without root access. With this fix, you can now restart these processes (bfd, cryptod, dhcpd, ikemgr, keymgr, and pppoed) using the CLI command debug software restart process. See CLI Changes in PAN-OS 7.1 for more information.
Fixed an issue where, if you redistributed User-ID mapping information and the mapping used a timeout value of NEVER, the firewall incorrectly changed the timeout value to 3600.
Fixed an issue where, if you viewed a configuration diff on the active Panorama server in an HA pair, a process (configd) restarted on the passive Panorama server.
Fixed an issue where Panorama incorrectly removed the LDAP domain field when it pushed a template configuration to a firewall running a PAN-OS 6.x release. This issue occurred in a configuration where Panorama used a PAN-OS 7.x release and firewalls used a mixture of PAN-OS 6.x and PAN-OS 7.x releases.
Fixed an issue where firewalls did not recognize malware that had been Base64 encoded in a zipped RTF file. This issue occurred during an SMTP session.
Fixed an issue where a log collector failed to send the system log to the active Panorama peer in an HA active/passive Panorama configuration after the active peer restarted.
Fixed an issue where throughput in an IPSec tunnel was lower than expected. With this fix, the firewall defaults the DSCP field to 0 for ESP packets to improve performance.
Fixed an issue where, if you implemented an authorization profile for OSPF with MD5 authentication on a firewall configured for FIPS-CC mode, the dataplane restarted.
Fixed an issue where the internal value for block time in the Denial of Service (DoS) table exceeded the configured block time. This issue occurred on firewalls installed in an HA configuration.
Fixed an issue where the firewall displayed the status of a 10G SFP+ virtual wire interface as 10000/full/up when the configured state of the interface was auto/auto/down. This issue occurred when Link State Pass Through in Network > Virtual Wires was enabled.
A security-related fix was made to address a cross-site scripting (XSS) condition in the web interface (PAN-SA-2016-0033).
Fixed an issue where the firewall allowed access to the search engine's cached version of a web page even though the page belonged to a URL category blocked by a policy.
Fixed an issue where WildFire platforms experienced nonresponsive processes and sudden restarts under certain clients' traffic conditions.
Fixed an issue where the dataplane restarted when processing SSL packets with an oversized Layer 2 header.
Fixed an issue where user authentication based on user groups stopped working after you enabled the multiple virtual systems (multi-vsys) feature.
Fixed an issue where a memory condition caused the dataplane to restart with the message Dataplane is down: too many dataplane processes exited.
Fixed an issue where the firewall failed to resolved URLs on the dataplane. This issue occurred when an out-of-memory error caused faults in the URL cache. With this fix, the firewall handles out-of-memory errors correctly, allowing proper resolution of URLs.
Fixed an issue where incorrect handling of selective-acknowledgment (SACK) packets caused a decrease in download speeds on SSL-decrypted traffic.
Fixed an issue in Panorama and where the default value of Save User Credentials in Network > GlobalProtect > Portals > GlobalProtect-portal-config > Agent > agent-config > Authentication was No when it should have been Yes.
Fixed an issue where the firewall did not increment the packet identifier of RADIUS Access-Request packets as required by the RFC standard.
A security-related fix was made to address CVE-2015-5364 and 2015-5366 (PAN-SA-2016-0025).
Fixed an issue where Panorama, when configured with a log collector, showed logs for a previous date and did not refresh the log display to show the latest logs.
Fixed an issue where a firewall configured to block URL categories over HTTPS did not send a FIN/ACK to the browser to close the connection after sending a block page. This issue occurred for firewalls configured to perform NAT.

Recommended For You