End-of-Life (EoL)
PAN-OS 7.1.9 Addressed Issues
PAN-OS® 7.1.9 addressed issues
The following table lists the issues that are addressed
in the PAN-OS® 7.1.9 release. For new features, associated software
versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information.
Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues
and any newly addressed issues in these release notes are identified
using new issue ID numbers that include a product-specific prefix.
Issues addressed in earlier releases and any associated known issue
descriptions continue to use their original issue ID.
Issue ID | Description |
---|---|
WF500-3605 | Fixed an issue where the WF-500 appliance created
too many logs when generating PDF reports. |
PAN-76265 | Fixed an issue where the firewall failed to
retrieve user groups from an LDAP server because the server response
did not have a page control value. |
PAN-75048 | Fixed an issue where the firewall used the
default route (instead of the next best available route) when the
eBGP next hop was unavailable, which resulted in dropped packets.
Additionally with this fix, the default time-to-live (TTL) value
for a single hop eBGP peer is changed to 1 (instead of 2). |
PAN-75005 | Fixed an issue where loading a configuration
other than running-config.xml when downgrading from PAN-OS 7.1.8
to a PAN-OS 7.0 release removed authentication profiles from GlobalProtect
portals and gateways, which caused an auto-commit failure. |
PAN-74161 | Fixed an issue where firewalls configured in
a virtual wire deployment where Spanning Tree Protocol (STP) bridge
protocol data unit (BPDU) packets were dropped. |
PAN-74128 | Fixed an issue where a session caused the dataplane
to restart if the session was active during and after you installed
a content update on the firewall and the update contained a decoder
change. |
PAN-74048 | Fixed an issue where numerous NSX dynamic address
updates caused Panorama to perform slower and to delay deployment
of updates to firewalls. With this fix, you can use the request
partner vmware-service-manager dau-updater-time-interval time-interval <time_interval_in_seconds>
CLI command to set the interval at which Panorama processes the
NSX dynamic updates. |
PAN-72779 | Fixed an issue where the Panorama management
server restarted after you installed the latest content database. |
PAN-72769 | A security-related fix was made to prevent
brute-force attacks on the GlobalProtect external interface (CVE-2017-7945). |
PAN-72350 | Fixed an issue where high-volume SSL traffic
intermittently added latency to SSL sessions. |
PAN-71530 | Fixed an issue where LDAP authentication failed
intermittently when the firewall tried to connect to the LDAP server
through a service route or after HA failover. |
PAN-71455 | Fixed an issue where users could not access
a secure website if the certificate authority that signed the web
server certificate also signed multiple certificates with the same
subject name in the Default Trusted Certificate Authorities list
on the firewall. |
PAN-71319 | Updated PAN-OS to address NTP issues (CVE-2016-7433). |
PAN-71284 | Fixed an issue where Panorama failed to deploy
BrightCloud URL filtering database updates to firewalls. |
PAN-71073 | Fixed an issue where a commit associated with
a dynamic update caused an HA failover when the path-monitoring
target IP address aged out or when the first path-monitoring health
check failed. |
PAN-71004 | Fixed an issue where, when the firewall killed
a process (l3svc), the process produced child processes that continued
running. With this fix, the firewall cleans up the child processes
before respawning the l3svc process. |
PAN-70620 | Fixed an issue where an uninitialized general-purpose
I/O (GPIO) controller driver caused the firewall to become unresponsive
and require a reboot. |
PAN-70541 | A security-related fix was made to address
an information disclosure issue that was caused by a firewall that
did not properly validate certain permissions when administrators
accessed the web interface over the management (MGT) interface (CVE-2017-7644). |
PAN-70483 | Fixed an issue on M-Series appliances in Panorama
mode where Security policy rules did not display shared service
groups in the service drop-down on the Service/URL Category tab
if the drop-down had 5,000 or more entries. |
PAN-70436 | A security-related fix was made to prevent
tampering with files that are exported from the firewall web interface
(CVE-2017-7217). |
PAN-70434 | A security-related fix was made to prevent
inappropriate disclosure of information through the firewall web
interface (CVE-2017-721). |
PAN-70426 | A security-related fix was made to prevent
firewall administrators from performing actions through the web
interface that require higher privileges than their administrator
roles allow (CVE-2017-7218). |
PAN-70345 | Fixed an issue where the M-Series appliances
did not forward logs to a syslog server over TCP ports. |
PAN-70323 | Fixed an issue where firewalls running in FIPS-CC
mode did not allow import of SHA-1 CA certificates even when the
private key was not included; instead, firewalls displayed the following
error: Import of <cert name> failed. Unsupported digest or keys
used in FIPS-CC mode. |
PAN-69882 | Fixed an issue where firewalls that had multiple
virtual systems and that were deployed in an HA active/active configuration
dropped TCP sessions. |
PAN-69622 | Fixed an issue where the firewall did not properly
close a session after receiving a reset (RST) message from the server
when the SYN Cookies action was triggered. |
PAN-68934 | Fixed an issue where the SNMP object panSessionActiveSslProxyUtilization
contained inaccurate data. |
PAN-68873 | Fixed an issue where customizing the block
duration for threat ID 40015 in a Vulnerability Protection profile
did not adhere to the defined block interval. For example, if you
set the Number of Hits (SSH hello messages) to 3 and per seconds
to 60, after three consecutive SSH hello messages from the client,
the firewall failed to block the client for the full 60 seconds. |
PAN-68520 | Fixed an issue where having multiple IPSec
IKE gateways configured to the same peer IP address caused VPN tunnels
to flap. |
PAN-68431 | Fixed an issue where firewalls and Panorama
failed to send SNMPv3 traps if you configured the service route
to forward the traps over a dataplane interface. |
PAN-68210 | Fixed an issue where administrators with custom
roles could not use the firewall CLI to change the HA state or initiate
HA synchronization for the firewall. |
PAN-68185 | Fixed an issue where the 7.1 SNMP traps MIB
file (PAN-TRAPS.my) had an incorrect description for the panHostname
attribute. |
PAN-67629 | Fixed an issue where existing users were removed
from user-group mappings when the Active Directory (AD) did not
return an LDAP Page Control in response to an LDAP refresh, which
resulted in the following User-ID (useridd) logs:
|
PAN-67599 | In PAN-OS 7.0 and 7.1 releases, a restriction
was added to prevent an administrator from configuring OSPF router
ID 0.0.0.0. This restriction is removed in PAN-OS 7.1.9. |
PAN-67503 | Fixed an issue where the firewall automatically
rebooted when you ran a Correlated Events query with more than 15
OR operators. |
PAN-67029 | Fixed an issue where the firewall stopped forwarding
logs to external services (such as a syslog server) after the firewall
management server restarted unexpectedly. |
PAN-66610 | Fixed an issue where memory usage errors occurred
if the PAN-OS integrated User-ID agent was monitoring numerous servers
for login events. With this fix, the User-ID agent queries five
servers at a time to prevent the firewall from exhausting memory. If
you check Status (Device > User Identification > User Mapping >
Server Monitoring) during the initial attempt by the PAN-OS integrated
User-ID agent to learn IP address-to-username mappings (or relearn
mappings after a User-ID process restart, HA failover, or firewall
reboot), you will see Connected status only for those servers for
which the agent has already begun to learn mappings. All servers
will display as Connected when the agent begins to learn mappings for
the last set of servers. |
PAN-66399 | Fixed an issue where the active firewall in
an HA active/passive configuration did not synchronize GlobalProtect
certificates with the passive firewall, which caused a commit failure
on the passive firewall. |
PAN-66104 | Fixed an issue where the firewall displayed
shared response pages instead of the custom response pages (Captive
Portal, URL continue, and URL override) that were configured for
specific virtual systems. |
PAN-65969 | Fixed an issue on PA-7000 Series firewalls
where the Switch Management Card (SMC) restarted due to false positive
conditions (ATA errors) detected during a disk check. |
PAN-65939 | Fixed an issue where you could not download
WildFire private cloud updates because the firewall checked for
the updates using a proxy server even when you configured the firewall
not to Use Proxy Settings for Private Cloud (Device > Setup > WildFire). |
PAN-65669 | Fixed an issue where the firewall did not apply
a VLAN tag to BFD traffic on a VLAN subinterface. |
PAN-64436 | Fixed an issue on PA-7000 Series firewalls
where creation of IGMP sessions failed because they were stuck in
an OPENING state or the wrong state. |
PAN-64317 | Fixed an issue where IPv6 neighbor discovery
failed intermittently due to a corrupted neighbor table. |
PAN-63856 | Fixed an issue where memory issues caused User-ID
processes to restart when multiple firewalls redistributed a large
number of IP address-to-username mappings. |
PAN-63641 | Fixed an issue where the firewall failed to
establish connections from some virtual systems to Windows-based
User-ID agents and Terminal Services agents. |
PAN-63520 | Fixed an issue where the firewall used the
wrong source zone when logging virtual system-to-virtual system
sessions. |
PAN-63013 | Fixed an issue where a commit validation error
displayed when Panorama running a PAN-OS 7.1 or later release pushed
a template configuration with a modified WildFire File Size Limits
setting (Device > Setup > WildFire) to a firewall running a PAN-OS
7.1 or earlier release. |
PAN-62622 | Fixed an issue where Traffic logs indicated
a session was decrypted even though it matched a Decryption policy
rule that specifies no decryption and even though no decryption
occurred. |
PAN-62338 | Fixed an issue where the firewall performed
NAT translation incorrectly on the passive IP address in data packets
when sending passive FTP connections over a proxy tunnel. |
PAN-62015 | Fixed an issue on PA-7000 Series firewalls
where, when creating the key for a GRE packet, the firewall did
not use the same default values for the source and destination ports
in the hardware and software, which slowed the firewall performance. |
PAN-61439 | Fixed an issue where a Panorama management
server that was not connected to the internet failed to deploy content
updates to Log Collectors when you chose to Install From File. |
PAN-61300 | Fixed an issue where removing and adding a
large number of Security policy rules caused Traffic logs to lose
their rule name field, which resulted in a commit failure. |
PAN-61252 | Fixed an issue on firewalls in an HA active/active
configuration where the floating IP address was not active on the
secondary firewall after the link went down on the primary firewall. |
PAN-60333 | Fixed an issue where the firewall deployed
in an HA active/active configuration with asymmetric routing dropped
packets in TCP, ICMP, and UDP traffic. |
PAN-59654 | Fixed an issue where commits failed on the
firewall after upgrading from a PAN-OS 6.1 release due to incorrect
settings for the HexaTech VPN application on the firewall. With
this fix, upgrading from a PAN-OS 6.1 release to PAN-OS 7.1.9 (or
a later release) does not cause commit failures related to these
settings. |
PAN-59542 | Fixed an issue on firewalls with multiple virtual
systems where the web interface displayed the Trusted Root CA option
as disabled in certificates for which the option was actually enabled. |
PAN-59275 | Fixed an issue where processing Oracle application
traffic caused the firewall to reboot. |
PAN-58382 | Fixed an issue where users were matched to
the incorrect security policies. |
PAN-58212 | Fixed an issue where the dataplane restarted
unexpectedly when firewalls deployed in an HA configuration missed
heartbeats. |
PAN-57888 | Fixed an issue where the App Scope Traffic
Map did not display the correct location of Samoa. |
PAN-57529 | Fixed an issue where the firewall acted as
a DHCP relay and no wireless devices on a VLAN received a DHCP address
(all other devices on the VLAN did receive a DHCP address). With
this fix, all devices on a VLAN receive a DHCP address when the
firewall acts as a DHCP relay. |
PAN-57520 | Fixed an issue where firewalls stopped connecting
to Panorama when the root CA server certificate on Panorama expired.
With this fix, Panorama replaces the original certificate with a
new certificate that expires in 2024. |
PAN-57440 | Fixed an issue where OSPFv3 link-state updates
were sent with the incorrect OSPF checksum when the OSPF packet
needed to advertise more link-state advertisements (LSAs) than fit
into a 1,500-byte packet. With this fix, the firewall sends the
correct OSPF checksum to neighboring switches and routers even when
the number of LSAs doesn’t fit into a 1,500-byte packet. |
PAN-57349 | Fixed an issue where numerous SSL sessions
exhausted the memory pool that the firewall required to insert new
certificates in its certificate cache. |
PAN-57155 | Fixed an issue where custom reports did not
display a value for Day Received when running the report on demand
(Run Now) while the web interface language was set to Japanese.
(This was not an issue when exporting the report as a PDF, CSV,
or XML file.) |
PAN-55536 | Fixed an issue where commit failures caused
by the firewall commit queue being full did not display the correct
error message. |
PAN-55048 | Fixed an issue where the firewall did not forward
logs in the syslog format that you selected. |
PAN-52739 | Fixed an issue where virtual system administrators
saw commit warnings for virtual systems that were outside the scope
of their administrative role privileges. |
PAN-49764 | Fixed an issue where SNMP traps that the firewall
generated did not include its system name or hostname. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.