End-of-Life (EoL)
PAN-OS 7.1.6 Addressed Issues
PAN-OS® 7.1.6 addressed issues
The following table lists the issues that are addressed
in the PAN-OS® 7.1.6 release. For new features, associated software
versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information.
Before you upgrade or downgrade to this release, review the information
in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues
and any newly addressed issues in these release notes are identified
using new issue ID numbers that include a product-specific prefix.
Issues addressed in earlier releases and any associated known issue
descriptions continue to use their original issue ID.
Issue ID | Description |
---|---|
PAN-68586 | Fixed an issue where adding, removing, or modifying
the Import/Export rules in a BGP configuration caused BFD and BGP
neighbor state to flap. |
PAN-67730 | Fixed an issue where a process (l3svc) stopped
responding multiple times with the message l3scv: Exited
4 times, waiting xxxx seconds to retry. With this fix,
the failing process (l3svc) will no longer exit inadvertently. |
PAN-67231 | Fixed an issue on PA-5000 Series and PA-3000
Series firewalls where the dataplane restarted when processing traffic
that had an incorrectly set IPv4 Reserved Flag. |
PAN-66991 | Fixed an issue where, if the firewall received
an empty SCEP authentication cookie from a GlobalProtect agent,
a process (ssl-mgr) on the firewall restarted. With this fix, the
process does not restart when it receives an empty authentication
cookie (the cookies are transparent to the user and cannot be configured). |
PAN-66677 | Fixed an issue on PA-5000 Series firewalls
where traffic looped infinitely between dataplanes, which caused
a loss of the affected traffic and a spike in CPU consumption. |
PAN-66250 | Fixed an issue on log collectors where a deadlock
occurred for inter-log collector connections, which caused connectivity
issues between log collectors and between firewalls and log collectors.
This issue also caused local buffering of logs on the firewall.
With this fix, log collector connection processing has been modified
to eliminate these issues. |
PAN-66210 | Fixed an issue where a dataplane process failed
to restart due to a missing or corrupt file, which caused the network
processing card (NPC) to restart. |
PAN-65996 | Fixed an issue where, if a connection to the
LDAP server failed, the authentication process (authd) stopped processing
GlobalProtect user authentication requests, and, eventually, all
subsequent successful authentication requests were dropped because
the retry-interval flag was not set correctly. With this fix, authentication
functions normally after the retry interval. |
PAN-64796 | Fixed an issue where a process (logrcvr) consumed
more memory than expected when a WildFire update occurred if you
enabled correlation objects (Monitor > Automated Correlation
Engine > Correlation Objects). |
PAN-64727 | Fixed an issue where the firewall changed the
sequence numbers of forwarded TCP keep-alive packets. |
PAN-64582 | Fixed an issue where a memory leak prevented
secure websites from loading correctly if the URL filtering configuration
blocked some objects on the page and a decryption profile rule applied
“No Decrypt” to the website.” |
PAN-64368 | Fixed an issue on PA-7000 Series firewalls
where, if you applied a Quality of Service (QoS) profile to an Aggregated
Ethernet (AE) interface, the QoS statistics reported a maximum egress
for the AE interface that differed from the sum of the egress values
of the individual interfaces in the aggregate. With this fix, QoS
statistics correctly report the configured QoS value of the AE interface. |
PAN-64361 | Fixed an issue where the DNS proxy failed for
DNS traffic that used TCP as the transportation protocol and DNS
servers contained DNS records with a very large number of entries
(more than 100). |
PAN-64360 | Fixed an issue where the firewall failed to
populate the email sender, recipient, and subject information for
WildFire reports. |
PAN-64263 | Fixed an issue where forward-proxy decryption
failed if the server certificate record size exceeded 16KB. |
PAN-63928 | When a limited-role user accessed the web interface
on the firewall and made changes from the Panorama context, the
firewall applied an automated commit lock that could not be removed
from that user. |
PAN-63818 | Fixed an issue on Panorama where, after you
added a zone to a template, the zone failed to show up in the drop-down
when choosing the source in a security policy. |
PAN-63800 | Fixed an issue where, if you enabled decryption
on the firewall with a decryption profile that did not use Diffie-Hellman
(DHE) and Elliptic Curve Diffie-Hellman (ECDHE) ciphers, the firewall
sent an elliptic curve extension in the Client Hello, which caused
the server to decline the connection. |
PAN-63315 | Fixed an issue where the custom response page
for URL overrides failed to display. |
PAN-63142 | Fixed an issue where the dataplane restarted
when processing IPv6 traffic that matched a predict session. |
PAN-63080 | Fixed an issue where a process (websrvr) stopped
responding, which caused the captive portal to not function. This
issue occurred when you had a custom response page that used a large
binary object. |
PAN-63073 | Security-related fixes were made to prevent
denial of service attacks against the web management interface (PAN-SA-2016-0035). |
PAN-62782 | Fixed an issue where an LDAP query that terminated
before completion resulted in a memory corruption. |
PAN-62385 | Fixed an issue where, if the firewall lost
connectivity with an LDAP server or if you applied an invalid query
filter, and the disruption occurred during a User-ID group mapping
update, the firewall deleted existing user-group mappings. With
this fix, disruptions during a User-ID group mapping update will
cause the firewall to stop adding new user-group mappings, but does
not delete existing user-group mappings. |
PAN-62261 | Fixed an issue where the DNS proxy failed for
DNS traffic that used TCP as the transportation protocol. |
PAN-62188 | Fixed an issue where, if you configured a large
number of FQDN objects, the firewall required multiple commits to
refresh the objects. |
PAN-61554 | Fixed an issue where a memory leak in a process
(authd) caused all authentications to the firewall to fail. |
PAN-61547 | Fixed an issue where a process (snmpd) had
a memory leak that caused frequent SNMP restarts. |
PAN-61543 | Fixed an issue where, after you committed a
push from the Panorama web interface to a device, the commit job
appeared to stall at 0% complete even the Panorama successfully
pushed the configuration. |
PAN-61468 | A security-related fix was made to address
CVE-2016-6210 (PAN-SA-2016-0036). |
PAN-61436 | Fixed an issue where SSL Forward Proxy decryption
failed with the error Unsupported Version if the
server returned a very large certificate. With this fix, decryption
succeeds even for very large certificates. |
PAN-61428 | Fixed an issue where the firewall allowed a
GlobalProtect client to connect without validating the client certificate. |
PAN-61104 | A security-related fix was made to address
a local privilege escalation issue (PAN-SA-2016-0034). |
PAN-60933 | Fixed an issue on firewalls in an HA active/passive
configuration where, if you enabled LACP prenegotiation, the passive
firewall intermittently forwarded traffic. |
PAN-60893 | Fixed an issue where the API command show
object registered-ip all option count failed to produce
the correct output where there were more than 500 registered entries.
When this issue occurred, the command returned a file location for
a file that listed the IP addresses instead of returning a count.
With this fix, the API command functions correctly where there are
more than 500 registered entries and returns the same output as
the equivalent CLI command. |
PAN-60390 | Fixed an issue on Panorama where, if a RADIUS
user logged in and tried to commit a configuration change, the commit
window appeared and then disappeared before it could be read by
the user. |
PAN-59715 | Fixed an issue where the GlobalProtect agent
disconnected from the GlobalProtect gateway under high traffic loads.
This issue occurred when the connections employed SSL tunnels instead
of IPSec tunnels. |
PAN-59532 | Fixed an issue where, if you imported a device
configuration into Panorama, and then pushed the configuration to
a firewall, the commit failed with the error region unexpected
here. |
PAN-59411 | Fixed an issue where a process (logrcvr) stopped
responding, which caused commit and OSPF adjacency failures. With
this fix, the process uses the correct buffer size to prevent the
fault. |
PAN-58906 | Fixed an issue where, if you deselected the Log
at Session End option, the log still generated entries
for security policies with a configured URL category and an action
other than Allow. With this fix, the firewall does not
generate log entries if the option is deselected. |
PAN-58822 | Fixed an issue where the firewall blocked a
static route configuration for the IPv4 destination 0.0.0.0/1. With
this fix, the firewall allows configuration of static route entries
in the range of 0.0.0.0/[0-7]. |
PAN-58673 | Fixed an issue where the firewall did not use
a second LDAP server for authentication if the first LDAP server
was unreachable. |
PAN-58618 | Fixed an issue where the firewall dataplane
restarted if you enabled data leak prevention (DLP). |
PAN-58602 | Fixed an issue where a Panorama template commit
to a firewall failed with the error LDAP is missing 'ssl'.
This issue occurred when the firewall operated in CCEAL4 mode. |
PAN-58589 | Fixed an issue where the dataplane restarted
when an out-of-memory condition occurred on a process (pan_comm). |
PAN-58526 | Fixed an issue where Kerberos authentication
to the Captive Portal was unsuccessful if the Kerberos token was
larger than 8,000 bytes. |
PAN-58516 | Fixed an issue on PA-500 and PA-2000 Series
firewalls where corruption of an instruction cache caused the firewall
to restart. This issue occurred after the firewall was in continuous
operation without a restart for hundreds of days. |
PAN-58508 | Fixed an issue where the firewall tried to
create IP address-to-username mappings for IP addresses in the zone
exclude list if the addresses were configured as address objects. |
PAN-58413 | Fixed an issue on firewalls and Panorama where,
if you attempted to manually upload a software image that was larger
than 1GB from the web interface, the upload failed with the error Upload
file size exceeded system limit. With this fix, the firewall
and Panorama size limit on software image uploads is increased. |
PAN-58410 | Fixed an issue on VM-Series firewalls in an
HA configuration where an interface on the active firewall displayed
its status as ukn/ukn/down(autoneg) after a failover
occurred. |
PAN-57946 | Fixed an issue on the M-100 appliance where
a configuration for a subnet in the permitted IP addresses of interface
Eth1 or Eth2 failed to take effect. |
PAN-57787 | Fixed an issue on Panorama where, if you used
the CLI replace command to replace a device serial
number, Panorama updated the managed device serial number but did
not update the serial number in the deployment schedule or in custom
reports. |
PAN-57785 | Fixed an issue where the CLI commands show
wildfire status and test wildfire tor returned
Tor status errors. With this fix, the CLI commands only return Tor
status errors in the case of an actual communication error. |
PAN-57593 | Fixed an issue where a decryption policy stopped
decrypting SSL traffic if you enabled Wait for URL on
SSL decryption. |
PAN-57514 | Fixed an issue where correlation logs forwarded
from Panorama to an external syslog server contained a dash (-)
instead of the Panorama hostname. |
PAN-57358 | Fixed an issue on Panorama where, if you tried
to import a device state bundle in the device context (Device
> Operation > Import), the import failed with the error message Error
in copying file. With this fix, device state import works
as expected. |
PAN-57145 | Fixed an issue where, if the firewall performed
IP and port NAT in the path of a GlobalProtect Large Scale VPN (LSVPN)
IPSec tunnel, a re-key caused the firewall side to temporarily change
back to the default port number for the new tunnel, and the intermediate
NAT device dropped traffic until the old tunnel timed out or was
deleted manually. With this fix, when a re-key happens, the firewall searches
and applies the correct port number to the new tunnel immediately,
which prevents traffic drops. |
PAN-57121 | Fixed an issue where a VM-Series firewall that
was in FIPS-CC mode could not connect to a Panorama server that
was in normal mode. |
PAN-56969 | Fixed an issue where the firewall did not record
X-Forwarded-For (XFF), User-Agent, or Referral HTTP headers in the
URL log if the traffic was blocked or reset by a security profile
even when HTTP header logging was enabled and the traffic contained
those fields. With this fix, the firewall correctly logs the HTTP
Headers. |
PAN-56831 | Fixed an issue on PA-7000 Series firewalls
where, if the firewall processed UDP packets using an inter-vsys
configuration, the packets looped repeatedly from one dataplane
to another and increased dataplane CPU consumption to nearly 100%.
With this fix, the firewall does not create a loop condition and
processes the packets correctly. |
PAN-56775 | Fixed an issue where a firewall configured
to perform a monthly update of the external dynamic list (EDL) initiated
an EDL refresh job every second. |
PAN-56438 | Fixed an issue where the internal value for
block time in the Denial of Service (DoS) table exceeded the configured
block time. This issue occurred on firewalls installed in an HA
configuration. |
PAN-56257 | Fixed an issue where reverse proxy key log
entries did not contain Common Name (CN) information when a certificate
mismatch occurred. |
PAN-56009 | Fixed an issue on firewalls installed in an
HA active/active configuration where out-of-order jumbo packets
caused the dataplane to restart, which resulted in a failover. |
PAN-55737 | Fixed an issue on PA-200 firewalls where, after
the firewall rebooted and before NTP synchronization occurred, the
firewall reported a reboot time without a timezone calculation to
Panorama. |
PAN-55474 | Fixed an issue on firewalls in an HA active/passive
configuration where, if you configured the path monitor timers with
an aggressive value, the firewalls entered an unstable state with
one node eventually becoming non-functional. |
PAN-55344 | Fixed an issue where the web interface limited
the high availability (HA) active/active IPv6 virtual address field
to 31 characters. |
PAN-55237 | A security-related fix was made to address
an XPath injection vulnerability in the web interface (PAN-SA-2016-0037). |
PAN-55196 | Fixed an issue where the firewall did not resolve
the IPv4 addresses of configured FQDN objects if you disabled firewalling
for IPv6 addresses and you configured FQDN objects with both IPv4
and IPv6 addresses. |
PAN-55190 | Fixed an issue where a firewall failed to resolved
URLs on the dataplane. This issue occurred when an out-of-memory
error caused faults in the URL cache. With this fix, firewalls handle
out-of-memory errors correctly, allowing proper resolution of URLs. |
PAN-54492 | Fixed an issue on firewalls and Panorama where
SaaS reporting failed and a process (saas_report_wra) did not exit
properly after the reporting failure. |
PAN-54279 | Fixed an issue where the FTP file transfer
of a large number of small files failed because the firewall did
not install the FTP data-channel session in a timely manner. |
PAN-53860 | Fixed an issue where SSL decryption did not
occur if the SSL handshake was very large. |
PAN-52138 | Fixed an issue on firewalls with destination
NAT enabled where video calls from outside the network failed because
the firewall did not properly translate connect packets. |
PAN-51703 | Fixed an issue where a firewall process (all_pktproc)
stopped responding after upgrading a firewall to a PAN-OS 7.1 release, |
PAN-39257 | Fixed an issue where you could forge the URL
filtering continue action by modifying the User-ID
(uid) parameter in the URL presented by the
firewall. This issue occurred in a limited context where a malicious
second user clicked on the Continue page alert
on behalf of the actual user. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.