Fixed an issue where adding, removing, or modifying the Import/Export rules in a BGP configuration caused BFD and BGP neighbor state to flap.

Fixed an issue where a process (l3svc) stopped responding multiple times with the message l3scv: Exited 4 times, waiting xxxx seconds to retry. With this fix, the failing process (l3svc) will no longer exit inadvertently.

Fixed an issue on PA-5000 Series and PA-3000 Series firewalls where the dataplane restarted when processing traffic that had an incorrectly set IPv4 Reserved Flag.

Fixed an issue where, if the firewall received an empty SCEP authentication cookie from a GlobalProtect agent, a process (ssl-mgr) on the firewall restarted. With this fix, the process does not restart when it receives an empty authentication cookie (the cookies are transparent to the user and cannot be configured).

Fixed an issue on PA-5000 Series firewalls where traffic looped infinitely between dataplanes, which caused a loss of the affected traffic and a spike in CPU consumption.

Fixed an issue on log collectors where a deadlock occurred for inter-log collector connections, which caused connectivity issues between log collectors and between firewalls and log collectors. This issue also caused local buffering of logs on the firewall. With this fix, log collector connection processing has been modified to eliminate these issues.

Fixed an issue where a dataplane process failed to restart due to a missing or corrupt file, which caused the network processing card (NPC) to restart.

Fixed an issue where, if a connection to the LDAP server failed, the authentication process (authd) stopped processing GlobalProtect user authentication requests, and, eventually, all subsequent successful authentication requests were dropped because the retry-interval flag was not set correctly. With this fix, authentication functions normally after the retry interval.

Fixed an issue where a process (logrcvr) consumed more memory than expected when a WildFire update occurred if you enabled correlation objects (Monitor > Automated Correlation Engine > Correlation Objects).

Fixed an issue where the firewall changed the sequence numbers of forwarded TCP keep-alive packets.

Fixed an issue where a memory leak prevented secure websites from loading correctly if the URL filtering configuration blocked some objects on the page and a decryption profile rule applied “No Decrypt” to the website.”

Fixed an issue on PA-7000 Series firewalls where, if you applied a Quality of Service (QoS) profile to an Aggregated Ethernet (AE) interface, the QoS statistics reported a maximum egress for the AE interface that differed from the sum of the egress values of the individual interfaces in the aggregate. With this fix, QoS statistics correctly report the configured QoS value of the AE interface.

Fixed an issue where the DNS proxy failed for DNS traffic that used TCP as the transportation protocol and DNS servers contained DNS records with a very large number of entries (more than 100).

Fixed an issue where the firewall failed to populate the email sender, recipient, and subject information for WildFire reports.

Fixed an issue where forward-proxy decryption failed if the server certificate record size exceeded 16KB.

When a limited-role user accessed the web interface on the firewall and made changes from the Panorama context, the firewall applied an automated commit lock that could not be removed from that user.

Fixed an issue on Panorama where, after you added a zone to a template, the zone failed to show up in the drop-down when choosing the source in a security policy.

Fixed an issue where, if you enabled decryption on the firewall with a decryption profile that did not use Diffie-Hellman (DHE) and Elliptic Curve Diffie-Hellman (ECDHE) ciphers, the firewall sent an elliptic curve extension in the Client Hello, which caused the server to decline the connection.

Fixed an issue where the custom response page for URL overrides failed to display.

Fixed an issue where the dataplane restarted when processing IPv6 traffic that matched a predict session.

Fixed an issue where a process (websrvr) stopped responding, which caused the captive portal to not function. This issue occurred when you had a custom response page that used a large binary object.

Security-related fixes were made to prevent denial of service attacks against the web management interface (PAN-SA-2016-0035).

Fixed an issue where an LDAP query that terminated before completion resulted in a memory corruption.

Fixed an issue where, if the firewall lost connectivity with an LDAP server or if you applied an invalid query filter, and the disruption occurred during a User-ID group mapping update, the firewall deleted existing user-group mappings. With this fix, disruptions during a User-ID group mapping update will cause the firewall to stop adding new user-group mappings, but does not delete existing user-group mappings.

Fixed an issue where the DNS proxy failed for DNS traffic that used TCP as the transportation protocol.

Fixed an issue where, if you configured a large number of FQDN objects, the firewall required multiple commits to refresh the objects.

Fixed an issue where a memory leak in a process (authd) caused all authentications to the firewall to fail.

Fixed an issue where a process (snmpd) had a memory leak that caused frequent SNMP restarts.

Fixed an issue where, after you committed a push from the Panorama web interface to a device, the commit job appeared to stall at 0% complete even the Panorama successfully pushed the configuration.

A security-related fix was made to address CVE-2016-6210 (PAN-SA-2016-0036).

Fixed an issue where SSL Forward Proxy decryption failed with the error Unsupported Version if the server returned a very large certificate. With this fix, decryption succeeds even for very large certificates.

Fixed an issue where the firewall allowed a GlobalProtect client to connect without validating the client certificate.

A security-related fix was made to address a local privilege escalation issue (PAN-SA-2016-0034).

Fixed an issue on firewalls in an HA active/passive configuration where, if you enabled LACP prenegotiation, the passive firewall intermittently forwarded traffic.

Fixed an issue where the API command show object registered-ip all option count failed to produce the correct output where there were more than 500 registered entries. When this issue occurred, the command returned a file location for a file that listed the IP addresses instead of returning a count. With this fix, the API command functions correctly where there are more than 500 registered entries and returns the same output as the equivalent CLI command.

Fixed an issue on Panorama where, if a RADIUS user logged in and tried to commit a configuration change, the commit window appeared and then disappeared before it could be read by the user.

Fixed an issue where the GlobalProtect agent disconnected from the GlobalProtect gateway under high traffic loads. This issue occurred when the connections employed SSL tunnels instead of IPSec tunnels.

Fixed an issue where, if you imported a device configuration into Panorama, and then pushed the configuration to a firewall, the commit failed with the error region unexpected here.

Fixed an issue where a process (logrcvr) stopped responding, which caused commit and OSPF adjacency failures. With this fix, the process uses the correct buffer size to prevent the fault.

Fixed an issue where, if you deselected the Log at Session End option, the log still generated entries for security policies with a configured URL category and an action other than Allow. With this fix, the firewall does not generate log entries if the option is deselected.

Fixed an issue where the firewall blocked a static route configuration for the IPv4 destination 0.0.0.0/1. With this fix, the firewall allows configuration of static route entries in the range of 0.0.0.0/[0-7].

Fixed an issue where the firewall did not use a second LDAP server for authentication if the first LDAP server was unreachable.

Fixed an issue where the firewall dataplane restarted if you enabled data leak prevention (DLP).

Fixed an issue where a Panorama template commit to a firewall failed with the error LDAP is missing 'ssl'. This issue occurred when the firewall operated in CCEAL4 mode.

Fixed an issue where the dataplane restarted when an out-of-memory condition occurred on a process (pan_comm).

Fixed an issue where Kerberos authentication to the Captive Portal was unsuccessful if the Kerberos token was larger than 8,000 bytes.

Fixed an issue on PA-500 and PA-2000 Series firewalls where corruption of an instruction cache caused the firewall to restart. This issue occurred after the firewall was in continuous operation without a restart for hundreds of days.

Fixed an issue where the firewall tried to create IP address-to-username mappings for IP addresses in the zone exclude list if the addresses were configured as address objects.

Fixed an issue on firewalls and Panorama where, if you attempted to manually upload a software image that was larger than 1GB from the web interface, the upload failed with the error Upload file size exceeded system limit. With this fix, the firewall and Panorama size limit on software image uploads is increased.

Fixed an issue on VM-Series firewalls in an HA configuration where an interface on the active firewall displayed its status as ukn/ukn/down(autoneg) after a failover occurred.

Fixed an issue on the M-100 appliance where a configuration for a subnet in the permitted IP addresses of interface Eth1 or Eth2 failed to take effect.

Fixed an issue on Panorama where, if you used the CLI replace command to replace a device serial number, Panorama updated the managed device serial number but did not update the serial number in the deployment schedule or in custom reports.

Fixed an issue where the CLI commands show wildfire status and test wildfire tor returned Tor status errors. With this fix, the CLI commands only return Tor status errors in the case of an actual communication error.

Fixed an issue where a decryption policy stopped decrypting SSL traffic if you enabled Wait for URL on SSL decryption.

Fixed an issue where correlation logs forwarded from Panorama to an external syslog server contained a dash (-) instead of the Panorama hostname.

Fixed an issue on Panorama where, if you tried to import a device state bundle in the device context (Device > Operation > Import), the import failed with the error message Error in copying file. With this fix, device state import works as expected.

Fixed an issue where, if the firewall performed IP and port NAT in the path of a GlobalProtect Large Scale VPN (LSVPN) IPSec tunnel, a re-key caused the firewall side to temporarily change back to the default port number for the new tunnel, and the intermediate NAT device dropped traffic until the old tunnel timed out or was deleted manually. With this fix, when a re-key happens, the firewall searches and applies the correct port number to the new tunnel immediately, which prevents traffic drops.

Fixed an issue where a VM-Series firewall that was in FIPS-CC mode could not connect to a Panorama server that was in normal mode.

Fixed an issue where the firewall did not record X-Forwarded-For (XFF), User-Agent, or Referral HTTP headers in the URL log if the traffic was blocked or reset by a security profile even when HTTP header logging was enabled and the traffic contained those fields. With this fix, the firewall correctly logs the HTTP Headers.

Fixed an issue on PA-7000 Series firewalls where, if the firewall processed UDP packets using an inter-vsys configuration, the packets looped repeatedly from one dataplane to another and increased dataplane CPU consumption to nearly 100%. With this fix, the firewall does not create a loop condition and processes the packets correctly.

Fixed an issue where a firewall configured to perform a monthly update of the external dynamic list (EDL) initiated an EDL refresh job every second.

Fixed an issue where the internal value for block time in the Denial of Service (DoS) table exceeded the configured block time. This issue occurred on firewalls installed in an HA configuration.

Fixed an issue where reverse proxy key log entries did not contain Common Name (CN) information when a certificate mismatch occurred.

Fixed an issue on firewalls installed in an HA active/active configuration where out-of-order jumbo packets caused the dataplane to restart, which resulted in a failover.

Fixed an issue on PA-200 firewalls where, after the firewall rebooted and before NTP synchronization occurred, the firewall reported a reboot time without a timezone calculation to Panorama.

Fixed an issue on firewalls in an HA active/passive configuration where, if you configured the path monitor timers with an aggressive value, the firewalls entered an unstable state with one node eventually becoming non-functional.

Fixed an issue where the web interface limited the high availability (HA) active/active IPv6 virtual address field to 31 characters.

A security-related fix was made to address an XPath injection vulnerability in the web interface (PAN-SA-2016-0037).

Fixed an issue where the firewall did not resolve the IPv4 addresses of configured FQDN objects if you disabled firewalling for IPv6 addresses and you configured FQDN objects with both IPv4 and IPv6 addresses.

Fixed an issue where a firewall failed to resolved URLs on the dataplane. This issue occurred when an out-of-memory error caused faults in the URL cache. With this fix, firewalls handle out-of-memory errors correctly, allowing proper resolution of URLs.

Fixed an issue on firewalls and Panorama where SaaS reporting failed and a process (saas_report_wra) did not exit properly after the reporting failure.

Fixed an issue where the FTP file transfer of a large number of small files failed because the firewall did not install the FTP data-channel session in a timely manner.

Fixed an issue where SSL decryption did not occur if the SSL handshake was very large.

Fixed an issue on firewalls with destination NAT enabled where video calls from outside the network failed because the firewall did not properly translate connect packets.

Fixed an issue where a firewall process (all_pktproc) stopped responding after upgrading a firewall to a PAN-OS 7.1 release,