End-of-Life (EoL)

PAN-OS 7.1.9 Addressed Issues

PAN-OS® 7.1.9 addressed issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.9 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue ID
Fixed an issue where the WF-500 appliance created too many logs when generating PDF reports.
Fixed an issue where the firewall failed to retrieve user groups from an LDAP server because the server response did not have a page control value.
Fixed an issue where the firewall used the default route (instead of the next best available route) when the eBGP next hop was unavailable, which resulted in dropped packets. Additionally with this fix, the default time-to-live (TTL) value for a single hop eBGP peer is changed to 1 (instead of 2).
Fixed an issue where loading a configuration other than running-config.xml when downgrading from PAN-OS 7.1.8 to a PAN-OS 7.0 release removed authentication profiles from GlobalProtect portals and gateways, which caused an auto-commit failure.
Fixed an issue where firewalls configured in a virtual wire deployment where Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets were dropped.
Fixed an issue where a session caused the dataplane to restart if the session was active during and after you installed a content update on the firewall and the update contained a decoder change.
Fixed an issue where numerous NSX dynamic address updates caused Panorama to perform slower and to delay deployment of updates to firewalls. With this fix, you can use the request partner vmware-service-manager dau-updater-time-interval time-interval <time_interval_in_seconds> CLI command to set the interval at which Panorama processes the NSX dynamic updates.
Fixed an issue where the Panorama management server restarted after you installed the latest content database.
A security-related fix was made to prevent brute-force attacks on the GlobalProtect external interface (CVE-2017-7945).
Fixed an issue where high-volume SSL traffic intermittently added latency to SSL sessions.
Fixed an issue where LDAP authentication failed intermittently when the firewall tried to connect to the LDAP server through a service route or after HA failover.
Fixed an issue where users could not access a secure website if the certificate authority that signed the web server certificate also signed multiple certificates with the same subject name in the Default Trusted Certificate Authorities list on the firewall.
Updated PAN-OS to address NTP issues (CVE-2016-7433).
Fixed an issue where Panorama failed to deploy BrightCloud URL filtering database updates to firewalls.
Fixed an issue where a commit associated with a dynamic update caused an HA failover when the path-monitoring target IP address aged out or when the first path-monitoring health check failed.
Fixed an issue where, when the firewall killed a process (l3svc), the process produced child processes that continued running. With this fix, the firewall cleans up the child processes before respawning the l3svc process.
Fixed an issue where an uninitialized general-purpose I/O (GPIO) controller driver caused the firewall to become unresponsive and require a reboot.
A security-related fix was made to address an information disclosure issue that was caused by a firewall that did not properly validate certain permissions when administrators accessed the web interface over the management (MGT) interface (CVE-2017-7644).
Fixed an issue on M-Series appliances in Panorama mode where Security policy rules did not display shared service groups in the service drop-down on the Service/URL Category tab if the drop-down had 5,000 or more entries.
A security-related fix was made to prevent tampering with files that are exported from the firewall web interface (CVE-2017-7217).
A security-related fix was made to prevent inappropriate disclosure of information through the firewall web interface (CVE-2017-721).
A security-related fix was made to prevent firewall administrators from performing actions through the web interface that require higher privileges than their administrator roles allow (CVE-2017-7218).
Fixed an issue where the M-Series appliances did not forward logs to a syslog server over TCP ports.
Fixed an issue where firewalls running in FIPS-CC mode did not allow import of SHA-1 CA certificates even when the private key was not included; instead, firewalls displayed the following error: Import of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode.
Fixed an issue where firewalls that had multiple virtual systems and that were deployed in an HA active/active configuration dropped TCP sessions.
Fixed an issue where the firewall did not properly close a session after receiving a reset (RST) message from the server when the SYN Cookies action was triggered.
Fixed an issue where the SNMP object panSessionActiveSslProxyUtilization contained inaccurate data.
Fixed an issue where customizing the block duration for threat ID 40015 in a Vulnerability Protection profile did not adhere to the defined block interval. For example, if you set the Number of Hits (SSH hello messages) to 3 and per seconds to 60, after three consecutive SSH hello messages from the client, the firewall failed to block the client for the full 60 seconds.
Fixed an issue where having multiple IPSec IKE gateways configured to the same peer IP address caused VPN tunnels to flap.
Fixed an issue where firewalls and Panorama failed to send SNMPv3 traps if you configured the service route to forward the traps over a dataplane interface.
Fixed an issue where administrators with custom roles could not use the firewall CLI to change the HA state or initiate HA synchronization for the firewall.
Fixed an issue where the 7.1 SNMP traps MIB file (PAN-TRAPS.my) had an incorrect description for the panHostname attribute.
Fixed an issue where existing users were removed from user-group mappings when the Active Directory (AD) did not return an LDAP Page Control in response to an LDAP refresh, which resulted in the following User-ID (useridd) logs:
debug: pan_ldap_search(pan_ldap.c:602): ldap_parse_result error code: 4 Error: pan_ldap_search(pan_ldap.c:637): Page Control NOT found
In PAN-OS 7.0 and 7.1 releases, a restriction was added to prevent an administrator from configuring OSPF router ID This restriction is removed in PAN-OS 7.1.9.
Fixed an issue where the firewall automatically rebooted when you ran a Correlated Events query with more than 15 OR operators.
Fixed an issue where the firewall stopped forwarding logs to external services (such as a syslog server) after the firewall management server restarted unexpectedly.
Fixed an issue where memory usage errors occurred if the PAN-OS integrated User-ID agent was monitoring numerous servers for login events. With this fix, the User-ID agent queries five servers at a time to prevent the firewall from exhausting memory.
If you check Status (Device > User Identification > User Mapping > Server Monitoring) during the initial attempt by the PAN-OS integrated User-ID agent to learn IP address-to-username mappings (or relearn mappings after a User-ID process restart, HA failover, or firewall reboot), you will see Connected status only for those servers for which the agent has already begun to learn mappings. All servers will display as Connected when the agent begins to learn mappings for the last set of servers.
Fixed an issue where the active firewall in an HA active/passive configuration did not synchronize GlobalProtect certificates with the passive firewall, which caused a commit failure on the passive firewall.
Fixed an issue where the firewall displayed shared response pages instead of the custom response pages (Captive Portal, URL continue, and URL override) that were configured for specific virtual systems.
Fixed an issue on PA-7000 Series firewalls where the Switch Management Card (SMC) restarted due to false positive conditions (ATA errors) detected during a disk check.
Fixed an issue where you could not download WildFire private cloud updates because the firewall checked for the updates using a proxy server even when you configured the firewall not to Use Proxy Settings for Private Cloud (Device > Setup > WildFire).
Fixed an issue where the firewall did not apply a VLAN tag to BFD traffic on a VLAN subinterface.
Fixed an issue on PA-7000 Series firewalls where creation of IGMP sessions failed because they were stuck in an OPENING state or the wrong state.
Fixed an issue where IPv6 neighbor discovery failed intermittently due to a corrupted neighbor table.
Fixed an issue where memory issues caused User-ID processes to restart when multiple firewalls redistributed a large number of IP address-to-username mappings.
Fixed an issue where the firewall failed to establish connections from some virtual systems to Windows-based User-ID agents and Terminal Services agents.
Fixed an issue where the firewall used the wrong source zone when logging virtual system-to-virtual system sessions.
Fixed an issue where a commit validation error displayed when Panorama running a PAN-OS 7.1 or later release pushed a template configuration with a modified WildFire File Size Limits setting (Device > Setup > WildFire) to a firewall running a PAN-OS 7.1 or earlier release.
Fixed an issue where Traffic logs indicated a session was decrypted even though it matched a Decryption policy rule that specifies no decryption and even though no decryption occurred.
Fixed an issue where the firewall performed NAT translation incorrectly on the passive IP address in data packets when sending passive FTP connections over a proxy tunnel.
Fixed an issue on PA-7000 Series firewalls where, when creating the key for a GRE packet, the firewall did not use the same default values for the source and destination ports in the hardware and software, which slowed the firewall performance.
Fixed an issue where a Panorama management server that was not connected to the internet failed to deploy content updates to Log Collectors when you chose to Install From File.
Fixed an issue where removing and adding a large number of Security policy rules caused Traffic logs to lose their rule name field, which resulted in a commit failure.
Fixed an issue on firewalls in an HA active/active configuration where the floating IP address was not active on the secondary firewall after the link went down on the primary firewall.
Fixed an issue where the firewall deployed in an HA active/active configuration with asymmetric routing dropped packets in TCP, ICMP, and UDP traffic.
Fixed an issue where commits failed on the firewall after upgrading from a PAN-OS 6.1 release due to incorrect settings for the HexaTech VPN application on the firewall. With this fix, upgrading from a PAN-OS 6.1 release to PAN-OS 7.1.9 (or a later release) does not cause commit failures related to these settings.
Fixed an issue on firewalls with multiple virtual systems where the web interface displayed the Trusted Root CA option as disabled in certificates for which the option was actually enabled.
Fixed an issue where processing Oracle application traffic caused the firewall to reboot.
Fixed an issue where users were matched to the incorrect security policies.
Fixed an issue where the dataplane restarted unexpectedly when firewalls deployed in an HA configuration missed heartbeats.
Fixed an issue where the App Scope Traffic Map did not display the correct location of Samoa.
Fixed an issue where the firewall acted as a DHCP relay and no wireless devices on a VLAN received a DHCP address (all other devices on the VLAN did receive a DHCP address). With this fix, all devices on a VLAN receive a DHCP address when the firewall acts as a DHCP relay.
Fixed an issue where firewalls stopped connecting to Panorama when the root CA server certificate on Panorama expired. With this fix, Panorama replaces the original certificate with a new certificate that expires in 2024.
Fixed an issue where OSPFv3 link-state updates were sent with the incorrect OSPF checksum when the OSPF packet needed to advertise more link-state advertisements (LSAs) than fit into a 1,500-byte packet. With this fix, the firewall sends the correct OSPF checksum to neighboring switches and routers even when the number of LSAs doesn’t fit into a 1,500-byte packet.
Fixed an issue where numerous SSL sessions exhausted the memory pool that the firewall required to insert new certificates in its certificate cache.
Fixed an issue where custom reports did not display a value for Day Received when running the report on demand (Run Now) while the web interface language was set to Japanese. (This was not an issue when exporting the report as a PDF, CSV, or XML file.)
Fixed an issue where commit failures caused by the firewall commit queue being full did not display the correct error message.
Fixed an issue where the firewall did not forward logs in the syslog format that you selected.
Fixed an issue where virtual system administrators saw commit warnings for virtual systems that were outside the scope of their administrative role privileges.
Fixed an issue where SNMP traps that the firewall generated did not include its system name or hostname.

Recommended For You