PAN-OS 7.1.8 Addressed Issues
PAN-OS® 7.1.8 addressed issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.8 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Fixed an issue where UDP IPv6 fragmented packets were dropped due to an incorrect defrag packet attached to the session bind nack message.
Fixed an issue where authentication failed for client certificates signed by a CA certificate that was not listed first in the Certificate Profile configured with client certificate authentication for GlobalProtect portals and gateways.
Improved file-type identification for Office Open XML (OOXML) files, which improves the ability for WildFire to accurately classify OOXML files as benign or malicious.
Fixed an issue on PA-7000 Series firewalls where sessions were dropped with the flow_bind_pending_full message when using Ethernet IP (etherip) protocol 97, which resulted in unstable connections and delayed responses.
Fixed an issue where an LDAP profile did not use the configured port; the profile used the default port, instead.
Fixed an issue on PA-5000 Series firewalls where the dataplane restarted due to specific changes related to certificates or SSL profiles in a GlobalProtect configuration—specifically, configuring a new gateway, changing a certificate linked to GlobalProtect, or changing the minimum or maximum version of the TLS profile linked to GlobalProtect.
Fixed an issue where MAC address table entries with a time-to-live (TTL) value of 0 were not removed as expected, which caused the table to continually increase in size.
Fixed an issue with the passive firewall in a high availability (HA) configuration that had LACP pre-negotiation enabled where the firewall stopped correctly processing LACP BPDU packets through an interface that had previously physically flapped.
Fixed an issue where deactivating a VM-Series firewall from Panorama failed and caused the firewall to become unreachable when the Verify Update Server Identity setting was enabled in Panorama (Panorama > Setup > Services > Verify Update Server Identity) but disabled on the firewall.
Fixed an issue on a virtual wire where, if you enabled Link State Pass Through (Network > Virtual Wires), there were significant delays in link-state propagation or even instances where an interface stayed down permanently even when ports were re-enabled on the neighbor device.
Fixed an issue where the User-ID process (userid) stopped responding when the firewall was having connectivity issues with one of the LDAP servers.
A security-related fix was made to prevent inappropriate information disclosure to authenticated users (CVE-2017-5583 / PAN-SA-2017-0005).
Fixed an issue where RADIUS challenge-based authentication failed when user input included uppercase characters.
Fixed an issue where SNMP packets caused a decoder loop that resulted in high dataplane CPU usage.
Fixed an issue where renaming a template broke the configuration for any NSX service profile zones within that template.
Fixed an issue where the capacity license was not applied when you used a license authorization code (capacity license or a bundle) to bootstrap a VM-Series firewall because the firewall did not reboot after the license was applied.
Fixed an issue where performing a device group commit from a Panorama server running version 7.1 to managed firewalls running PAN-OS 6.1 failed to commit when the custom spyware profile action was set to Drop. With this fix, Panorama translates the action from Drop to Drop packets for firewalls running PAN-OS 6.1, which allows the device group commit to succeed.
Fixed an issue where navigating to the IPSec tunnel configuration in a Panorama template caused the Panorama management web interface to stop responding and displayed a 502 Bad Gateway error.
Fixed an issue where the management interface configured for DHCP caused FQDN resolution to fail.
A security-related fix was made to address CVE-2016-5195 (PAN-SA-2017-0003).
Fixed an issue on VM-Series firewalls where rebooting or configuring a new L3 interface caused the IP range configured on a disabled interface to be incorrectly installed in the FIB and routing table if you disabled the interface from the vSwitch.
Fixed an issue where the firewall failed to apply the correct action if the vulnerability profile had a very long list of CVEs. With this fix, the firewall is able to support up to 64 CVEs per vulnerability rule. If the number of CVEs in the rule is more than 64, the firewall displays a warning when you commit configuration changes.
The netstat CLI command was removed in the 7.1 release for Panorama, Panorama log collector, and WildFire. With this fix, the netstat command is reintroduced.
Fixed an issue where a process (all_pktproc) stopped responding because a race condition occurred when closing sessions.
Fixed an issue where the web interface displayed an obsolete flag for the nation of Myanmar.
Fixed an issue on PA-7000 Series firewalls where the PA-7000-20GQXM-NPC and PA-7000-20GQ-NPC cards could not achieve more than 16Gbps throughput for non-offloaded traffic. With this fix, the cards can reach the maximum specified throughput of 20Gbps.
A security-related fix was made to address a Cross Site-Scripting (XSS) vulnerability on the management web interface (CVE-2017-5584 / PAN-SA-2017-0004).
Fixed an issue with memory leaks associated with the routed process when allocated memory was not released when no longer needed.
Fixed an issue where a role-based Panorama administrator could not perform a configuration audit after context-switching to a firewall.
Fixed an issue on Panorama where attempting to configure dynamic IP objects using the XML API failed, preventing the configuration from being pushed to the managed firewalls.
Fixed an issue where the predict session incorrectly used the policies of the parent session.
Fixed an issue where the firewall failed to send a RADIUS access request after changing the IP address of the management interface.
Fixed an issue where custom reports did not populate correctly when grouped by source country.
Fixed an issue where User-ID failed to update the allow list for a group name that was larger than 128 bytes.
Fixed an issue where H.323-based video calls failed when using source NAT (dynamic or static) due to incorrect translation of the destCallSignalAddress payload in the H.225 call setup.
Fixed an issue on Panorama virtual appliances in an HA configuration where, if you enabled log forwarding to syslog, both the active and passive peers sent logs. With this fix, only the active peer sends logs when you enable log forwarding to syslog.
Fixed an issue on PA-5000 Series firewalls where the dataplane stopped responding due to a race condition during hardware offload.
Fixed an issue where usernames were displayed in logs and reports when privacy settings in admin role was configured to prevent their display.
Fixed an issue where the firewall incorrectly assigned an expired User-ID IP mapping for 30 seconds after the original mapping had expired.
Fixed an issue on VM-Series firewalls where enabling software QoS resulted in dropped packets under heavy traffic conditions. With this fix, VM-Series firewalls no longer drop packets due to heavy loads with software QoS enabled and software QoS performance in general is improved for all Palo Alto Networks firewalls.
Fixed an issue where the firewall dropped RTP traffic matching a predict session when a video call initiated from the external side of a shared gateway. With this fix, when a predict session goes across a different vsys or a shared gateway, the firewall uses the egress interface's vsys to lookup the destination zone instead of the session's vsys.
Fixed an issue where multicast entries were pointing to the wrong rendezvous point (RP) IP address because a recycled interface ID allocated for PIM register encapsulation retained an old tunnel interface that pointed to the wrong RP.
Fixed an issue where the User-ID agent incorrectly read the IP address in the security logs for Kerberos login events.
Fixed an issue where the GlobalProtect agent failed to authenticate using a client certificate that had a signature algorithm that was not SHA1/SHA256. With this fix, the firewall provides support for the SHA384 signature algorithm for client-based authentication.
Fixed an issue where configurations committed from Panorama stalled at 99% and failed to complete.
Fixed an issue on PA-3000 Series and PA-5000 Series firewalls where the dataplane stopped responding when a session crossed vsys boundaries and could not find the correct egress port. This issue occurred when zone protection was enabled with a SYN Cookies action (Network > Zone Protection > Flood Protection).
Fixed an issue where certain Access Domain users (such as vsys administrators) were not able to log in to the web interface on the firewall; instead, they received the following error: Could not find role profile in running config.
Fixed an issue where read-only superusers were able to view threat packet captures (pcaps) on the firewall but received an error (“File not found”) when they attempted to export certain types of pcap files (threat, threat extpcap, app, and filtering).
Fixed an issue on devices where commits failed due to issues with a process (authd).
Fixed an issue where the server-to-client (s2c) flow for RTP predicted sessions were not correctly matching a policy-based forwarding (PBF) rule.
Fixed an issue where a custom role administrator with commit privileges could not commit configurations using the XML API.
Fixed an issue where renaming an address object caused the commit to a Device Group to fail.
Fixed an issue where the firewall did not create an IPSec NAT-T session after a tunnel re-key until it originated a tunnel keep-alive. When this issue occurred, the firewall dropped NAT-T packets.
Fixed an issue where custom reports using threat summary were not populated.
Fixed an issue where PA-7000 Series firewalls were sending report requests even when the debug skip-condor reports CLI command was set to no.
Fixed an issue where the firewall reset connections instead of sending an SMTP 5.4.1 error message when SMTP traffic was blocked after detecting a vulnerability signature. With this fix, the firewall sends an SMTP 5.4.1 error message when SMTP traffic is blocked due to a vulnerability signature.
Fixed an issue where a slow file descriptor leak between two processes (mgmtsrvr and pan_log_receiver) caused the log receiver to stop responding and degraded management server performance. This issue occurred after a long device up time (more than 380 days).
Fixed an issue where the dataplane stopped responding when a change to the Aggregate Ethernet (AE) link configuration was committed, resulting in an unexpected path monitoring condition.
Fixed an issue where the SNMP OID ifHCOutOctets did not contain the expected data.
Fixed an issue where DNS proxy static entries stopped working when there were duplicate entries in the configuration.
Fixed an issue where you could not select a configured decrypt interface (it did not display) in the Decrypt Mirror drop-down (Device Groups > Objects > Decryption Profile) when the firewall or appliance was part of a template stack but not a template.
Fixed an issue where CSV exports of system logs from the web interface did not enclose strings containing commas in quotes, which broke the formatting of the entries. With this fix, strings containing commas are enclosed in double quotes.
Recommended For You
Recommended videos not found.