End-of-Life (EoL)
Known Issues Related to PAN-OS 7.1 Releases
List of known issues in the PAN-OS® 7.1 release.
The following list describes WildFire Known Issues,
GlobalProtect Known Issues, and Firewall and Panorama Known Issues
in the PAN-OS 7.1 release:
For recent updates to known issues for a given PAN-OS release,
refer to https://live.paloaltonetworks.com/t5/Articles/Critical-Issues-Addressed-in-PAN-OS-Releases/ta-p/52882.
Starting with PAN-OS 7.1.5, these release notes identify all unresolved
known issues using new issue ID numbers that include a product-specific
prefix. Known issues for earlier releases use both their new issue
IDs and their original issue IDs (in parentheses).
Issue ID | Description |
---|---|
WildFire Known Issues | |
WF500-3062 (95815) This
issue is now resolved. | When PAN-OS 7.1 was first released, firewalls
could not forward files to the WildFire Japan cloud for analysis.
This issue is resolved for all PAN-OS 7.1 releases due to an update
to the WildFire Japan cloud in August 2016. |
WF500-1584 (67624) | When using a web browser to view a WildFire
Analysis Report from a firewall that is using a WF-500 appliance
for file sample analysis, the report may not appear until the browser
downloads the WF-500 certificate. This issue occurs after upgrading
a firewall and the WF-500 appliance to a PAN-OS 6.1 or later release. Workaround: Browse
to the IP address or hostname of the WF-500 appliance, which will
temporarily download the certificate into the browser. For example,
if the IP address of the WF-500 is 10.3.4.99, open a browser and
enter https://10.3.4.99. You can then access the report from the
firewall by selecting Monitor> WildFire Submissions, clicking log details,
and then clicking the WildFire Analysis Report tab. |
GlobalProtect Known Issues | |
GPC-2742 (88933) | If you configure GlobalProtect portals and
gateways to use client certificates and LDAP as two factors of authentication,
Chromebook users that are running Chrome OS 47 or later versions
can encounter excessive prompts to select a client certificate. Workaround: To
prevent excessive prompts, configure a policy in the Google Admin
console to specify the client certificate and deploy that policy
to your managed Chromebooks:
|
GPC-1737 (61720) | By default, the GlobalProtect app adds a route
on iOS mobile devices that causes traffic to the GP-100 GlobalProtect
Mobile Security Manager to bypass the VPN tunnel. Workaround: To
configure the GlobalProtect app on iOS mobile devices to route all
traffic—including traffic to the GP-100 GlobalProtect Mobile Security
Manager—to pass through the VPN tunnel, perform the following tasks
on the firewall hosting the GlobalProtect gateway (Network > GlobalProtect
> Gateways ><gateway-config> > Agent > Client Settings > <client-settings-config>
> Network Settings > Access Route):
|
GPC-1517 (56434) | For the GlobalProtect app to access an MDM
server through a Squid proxy, you must add the MDM server SSL access
ports to the proxy server allow list. For example, if the SSL access
port is 8443, add acl SSL_ports port 8443 to the allow list. |
Firewall and Panorama Known
Issues | |
PLUG-380 | When you rename a device group, template, or
template stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager. Therefore,
any ESXi hosts that you add to a vSphere cluster are not added to
the correct device group, template, or template stack and your Security
policy is not pushed to VM-Series firewalls that you deploy after
you rename those objects. There is no impact to existing VM-Series
firewalls. |
PAN-140008 | ElasticSearch is forced to restart when
the masterd process misses too many
heartbeat messages on the Panorama management server resulting in
a delay in a log query and ingestion. |
PAN-131915 | There is an issue when you implement a new
firewall bootstrap with a USB drive where the bootstrap fails and
displays the following error message: no USB device found .Workaround: Perform
a factory reset or run the request system private-data-reset CLI
command and then proceed with bootstrapping. |
PAN-126921 | ( PA-7000 Series firewalls only )
There is an issue where internal path monitoring fails when the
firewall processes corrupt packets. |
PAN-100244 | Fixed an issue where a failed commit or commit
validation followed by a non-user-committed event (such as an FQDN
refresh, an external dynamic list refresh, or an antivirus update)
resulted in an unexpected change to the configuration that caused
the firewall to drop traffic. |
PAN-96158 | (PAN-OS 7.1.18 and later PAN-OS 7.1 releases)
After a high availability (HA) firewall cluster with graceful restart
enabled on routing protocols fails over, it does not immediately
display the connected, static, and host routes as Active. This issue
does not impact performance and the routes typically display as
Active, again, within 30 seconds after the failover. |
PAN-95999 | Firewalls in an active/active high availability
(HA) deployment, with a default session setup and owner configuration,
drop packets in a GlobalProtect VPN tunnel that uses a floating
IP address. |
PAN-95717 | After 30,000 or more end users log in to the
GlobalProtect gateway within a two- to three-hour period, the firewall
web interface responds slowly, commits take longer than expected
or intermittently fail, and Tech Support File generation times out
and fails. |
PAN-95511 | The name for an address object, address group,
or an external dynamic list must be unique. Duplicate names for
these objects can result in unexpected behavior when you reference
the object in a policy rule. |
PAN-95028 | The firewall does not apply password profile
settings (Device > Password Profiles) to administrator accounts. |
PAN-94167 | Firewalls randomly retain IP address-to-username
mappings even after receiving information via User-ID Redistribution
that the mapping was deleted or expired. |
PAN-94023 | The request system external-list show type
ip name <EDL_name> CLI command does not display external dynamic
list entries after you restart the management server (mgmtsrvr)
process. |
PAN-93937 | The management server process (mgmtsrvr) on
the firewall restarts whenever you push configurations from the
Panorama management server. |
PAN-93854 | The VM-Series firewall for NSX randomly disrupts
traffic due to high CPU usage by the pan_task process. |
PAN-93005 | The firewall generates System logs with High
severity for Dataplane under severe load conditions that do not
affect traffic. |
PAN-92268 | On PA-7000 Series firewalls, one or more dataplanes
do not pass traffic when you run several operational commands (from
any firewall user interface or from the Panorama management server)
while committing changes to device or network settings or while
installing a content update. Workaround: Perform another
commit. |
PAN-92254 | Commits fail on a PA-7000 Series firewall when
the firewall configuration grows so large that it exhausts the internal
configuration memory or the CTD memory buffer on the Network Processing
Card (NPC). Workaround: Upgrade your firewall to PAN-OS
8.0.9 or a later release. The extended memory NPCs (PAN-PA-7000-20GXM-NPC
and PAN-PA-7000-20GQXM-NPC) offer additional memory, which accommodates
larger configurations. |
PAN-92163 | On PA-7000 Series firewalls, one or more dataplanes
do not pass traffic when you run several operational commands (from
any firewall user interface or from the Panorama management server)
while committing changes to device or network settings or while
installing a content update. Workaround: Perform another
commit. |
PAN-91088 | On PA-7000 Series firewalls in a high availability
(HA) configuration, the HA3 link does not come up after you upgrade
to PAN-OS 7.1.14 or a later 7.1 release. Workaround: Unplug
and replug the HSCI modules. |
PAN-90970 | On the Panorama management server, a policy
rule dialog automatically closes within a couple of seconds after
you open it to create or edit a rule. |
PAN-90347 | On a PA-5000 Series firewall configured to
use an IPSec tunnel containing multiple proxy IDs (Network > IPSec
Tunnels > <tunnel> > Proxy IDs), the firewall drops tunneled
traffic after clear text sessions are established on a dataplane
other than the first dataplane (DP0). Workaround: Use Palo
Alto Networks firewalls on both ends of the IPSec tunnel, or use
one proxy ID per tunnel, or use only DP0 for establishing clear
text sessions (run the set session processing-cpu dp0 CLI command). |
PAN-89349 | On firewalls in an active/active high availability
(HA) configuration, the primary firewall, with a floating IP address
bound to it, sends ARP probes containing the MAC address of the
secondary firewall instead of the primary. Sending ARP probes with
the incorrect MAC address causes the secondary firewall to drop
traffic. |
PAN-88487 | The firewall stops enforcing policy after an
automatic or manual refresh of an External Dynamic List (EDL) that
has an invalid IP address or that resides on an unreachable web
server. Workaround: Do not refresh EDLs that have invalid
IP addresses or that reside on unreachable web servers. |
PAN-87880 | Root partition utilization approaches the maximum
capacity because the firewall doesn't remove WildFire download logs
that are due for removal. Workaround: Manually kill the
WildFire download processes. |
PAN-87481 | SNMP managers do not display object identifiers
(OIDs) for the Ethernet1/3, Ethernet1/4, and Ethernet1/5 interfaces
of M-500 appliances. |
PAN-86882 | The firewall dataplane slows significantly
and, in some cases, stops responding if you use nested wildcards
("*") with "." or "/" as delimiters in the URLs of a custom URL
category (Objects > Custom Objects > URL Category) or in the Allow
List of a URL Filtering profile (Objects > Security Profiles > URL
Filtering > <URL-filtering-profile> > Overrides). Workaround: The
best practice is to use a single wildcard to cover multiple tokens
or a caret (^) to target a single token. For details, see the article
Nested Wildcard in URLs May- Severely Affect Performance. |
PAN-86624 | The Panorama management server doesn't display
an Override button for Objects > External Dynamic Lists in child
device groups that inherit the objects from parent device groups. |
PAN-86226 | On PA-5000 Series firewalls running PAN-OS
7.1.12 or a later 7.0 release, insufficient proxy memory causes
decryption failures and prevents users from accessing the GlobalProtect
portal or gateway. |
PAN-85938 | PAN-OS removes the IP address-to-username mappings
of end users who log in to a GlobalProtect internal gateway within
a second of logging out from it. |
PAN-85744 | The User-ID process (useridd) produces an error
message (Server error : Client useridd not ready) and stops responding
during a commit operation. |
PAN-85456 | Switching firewalls to FIPS-CC mode sets the
Base DN to None and disables the Verify Server Certificate for SSL
sessions option for LDAP server profiles that you view or edit in
the web interface (Device > Server Profiles > LDAP). Workaround: Use
the CLI (set shared server-profile ldap) or PAN-OS XML API to configure
the Base DN and Verify Server Certificate for SSL sessions option
for LDAP server profiles. |
PAN-85299 | On firewalls in an active/passive high availability
(HA) configuration with link or path monitoring enabled, a failover
resulting from a link or path failure intermittently causes the
deletion of host, connected, static, and dynamic routes (both OSPF
and BGP) from the forwarding information base (FIB) on the firewall
peer that becomes active. The link or path failure also causes the
intermittent sending of unnecessary BGP withdrawal messages to BGP
peers. |
PAN-85209 | End users cannot access websites for which
the firewall applies Decryption policy and uses Online Certificate
Status Protocol (OCSP) to verify the status of certificates. The
issue occurs in cases where the certificate cache on the firewall
is modified during the access attempts. |
PAN-84792 | Firewalls report an interface speed of zero
for some interfaces instead of the maximum possible speed when you
run an SNMP query for the ifHighSpeed object (OID 1.3.6.1.2.1.31.1.1.1.15). |
PAN-84445 | On occasion, the App-ID for an application
that is using SSL is identified incorrectly. This issue occurs when
a server hosts multiple applications on the same port, and the firewall
has identified traffic for an application using this port on the
server and then inaccurately records other applications on this
server-port combination as the previously identified application. |
PAN-84199 | After you disable the Skip Auth on IKE Rekey
option in the GlobalProtect gateway, the firewall still applies
the option: end users with endpoints that use Extended Authentication
(X-Auth) don't have to re-authenticate when the key used to establish
the IPSec tunnel expires (Network > GlobalProtect > Gateways > <gateway>
> Agent > Tunnel Settings). |
PAN-83909 | The WF-500 appliance sends ICMP unreachable
messages from the VM Interface to the Management interface. |
PAN-83598 | VM-Series firewalls cannot monitor more than
500 virtual machine (VM) information sources (Device > VM Information
Sources). |
PAN-82957 | (PAN-OS 7.1.11 and later 7.1 releases) Firewalls
do not send queries for updated user mappings to User-ID agents;
instead, the firewalls wait until the agents learn and forward new
user mappings. In a deployment that includes Windows-based User-ID
agent 7.0.7 or earlier agent releases, this delay in updating user
mappings on the firewalls disrupts user-based policy enforcement
because the firewalls prematurely remove user mappings received
from those agents (see WINAGENT-53 in the User-ID Agent 7.0.8 Addressed
Issues list). Workaround: Upgrade the Windows-based User-ID
agents to User-ID agent 7.0.8 or a later release. Alternatively,
run the debug user-id query-unknown-ip yes CLI command on firewalls
so that they will query the agents running an earlier User-ID agent
release; however, if you use the alternate workaround, you must
re-run the debug user-id command every time the firewall reboots. |
PAN-82637 | The Panorama management server stops responding
after you use a PAN-OS XML API call to rename a policy rule or object
and you accidentally use its old name as the new name. |
PAN-82273 | Blocking proxy sessions to enforce Decryption
policy rules causes packet buffer depletion, which eventually results
in packet loss. |
PAN-82117 | PA-5000 Series firewalls in an active/active
high availability (HA) configuration intermittently drop packets
due to a race condition that occurs when the session owner and session
setup are on different HA peers. |
PAN-82109 | On VM-Series firewalls, the session capacity
drops to 1,248 after you activate a capacity license. |
PAN-82076 | Traffic delays occur on PA-7000 Series firewalls
due to packet buffer congestion when the all_pktprocprocess stops
responding due to an incorrect Policy Based Forwarding (PBF) policy
rule ID that references an invalid egress interface. |
PAN-81682 | The firewall dataplane restarts while processing
traffic after you enable SSL Inbound Inspection but not SSL Forward
Proxy decryption. |
PAN-81585 | After you rename an object in a device group
on the Panorama management server, a commit error occurs because
policies in the child device groups still reference the object by
its old name. |
PAN-81521 | Endpoints failed to authenticate to GlobalProtect
through Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile (Device > Server Profiles > Kerberos). Workaround: Replace
the FQDN with the IP address in the Kerberos server profile. |
PAN-81457 | The firewall stops submitting samples to WildFire
for analysis until you run the debug wildfire reset dp-receiver
CLI command. |
PAN-81061 | PA-3000 Series firewalls intermittently drop
long-lived sessions that are active during a content update if you
immediately follow the update with an Antivirus or WildFire update. |
PAN-80564 | The firewall mgmtsrvr process and other processes
repeatedly restart due to abnormal system memory usage when a connection
failure occurs between the firewall and a syslog server that use
TCP over SSL/TLS to communicate. Workaround: In PAN-OS
7.1.11 and later 7.1 releases, you can stop the continuous restarts
by running the debug syslog-ng restart CLI command to restart the
syslog-ng process. Alternatively, for all PAN-OS 7.1 releases, you
can use UDP for communication between the firewall and syslog server. |
PAN-80246 | After using a Panorama management server running
PAN-OS 7.1 to Force Template Values when pushing device group or
template configurations to firewalls running an earlier PAN-OS release,
FQDN refreshes fail on the firewalls. Workaround: When
pushing device group or template configurations, don’t Force Template
Values. If you already did, run the commit force configuration mode
command at the CLI of each affected firewall to resolve the issue.
Another workaround is to upgrade the firewalls to the same PAN-OS
release as Panorama. |
PAN-79945 | The Panorama management server cannot deploy
antivirus or WildFire updates to firewalls that already have later
versions of the updates. |
PAN-79450 | In rare cases, when the firewall is under a
heavy load, some PAN-OS software update-related processes stall
and do not recover. Workaround: Reboot the firewall. |
PAN-79423 | Panorama cannot push address group objects
from device groups to managed firewalls if zones specify the objects
in the User Identification ACL include or exclude lists (Network
> Zones) and if the Share Unused Address and Service Objects with
Devices option is disabled (Panorama > Setup > Management > Panorama
Settings). Workaround: After an explicit deny-all-and-log
rule, create a security policy rule that includes the Address or
Address Group objects. The deny-all-and-log rule handles all sessions
not handled by any previous rule. The security policy rule containing
the address objects, while it would never be used, allows you to
push the address objects to managed firewalls. |
PAN-79071 | Loading a partial configuration (using the
load config partial CLI command) changes the port numbers in service
and service group objects. Workaround: Remove any duplicate
service, service group, application, or application group objects
from the configuration that you will load. |
PAN-78718 | A PA-7000 Series firewall running PAN-OS 7.1.12
or an earlier release stops saving and displaying new logs due to
a memory leak after a Panorama management server running a PAN-OS
8.0 release pushes a predefined report that specifies a field that
is unrecognized by the firewall running the earlier PAN-OS release
(Monitor > Reports > Mobile Network Reports). Workaround: Disable
GTP reports in Panorama 8.0. |
PAN-78431 | Firewalls in an active/passive HA configuration
with OSPF or BGP graceful restart enabled take longer than expected
to fail over. Workarounds:
|
PAN-78015 | In rare cases on a Panorama management server
in a high availability (HA) configuration, the virtual machine (VM)
auth key disappears after you reboot the active HA peer. Workaround: Generate
a new key, update the firewall init-cfg.txt file with the new key,
and reboot the firewall. |
PAN-77702 | Dynamic address updates take several minutes
to complete on Panorama in NSX deployments. |
PAN-77595 | PA-7000 Series firewalls forward a SIP INVITE
based on route lookup instead of Policy-Based Forwarding (PBF) policy. |
PAN-77326 | In a high availability (HA) hardware security
module (HSM) configuration, the crypto process (cryptod) for the
SafeNet resource library in SafeNet Client 6.2.2 stops responding
when the route to the HSM changes. This process also stops responding
intermittently when the cryptod process tries to close the HSM sessions. |
PAN-77125 | PA-7000 Series firewalls configured in tap
mode don’t close offloaded sessions after processing the associated
traffic; the sessions remain open until they time out. Workaround: Configure
the firewalls in virtual wire mode instead of tap mode, or disable
session offloading by running the set session off load no CLI command. |
PAN-77116 | After bootup, the firewall displays error messages
such as Error: sysd_construct_sync_importer(sysd_sync.c:328): sysd_sync_register() failed:
(111) Unknown error code, even though the bootup is successful. Workaround: Ignore
the error messages; they do not affect the firewall operations. |
PAN-77062 | Administrators with a custom role cannot delete
packet captures. |
PAN-76702 | Several dataplane processes stop responding
when the firewall processes VPN traffic with IP packet chains, which
were usually triggered by IP fragmentation or SSL decryption operations. |
PAN-76509 | On firewalls with multiple virtual systems,
custom spyware signatures work only on vsys1. |
PAN-76454 | On PA-7000 Series firewalls, Generic Routing
Encapsulation (GRE) session creation fails when the firewalls receive
GRE packets with a Point-to-Point Protocol (PPP) payload. |
PAN-76184 | On PA-7000 Series firewalls, disabling the
option to Turn on QoS feature on this interface (Network > QoS)
reduces throughput on 40Gbps interfaces. |
PAN-76162 | A Panorama management server running a PAN-OS
8.0 release or PAN-OS 7.1.8 or later 7.1 release does not display
logs from PA-7000 Series firewalls running a PAN-OS 7.1 or 7.0 release. Workaround: Run
the debug skip-condor-reports no command and then the debug software
restart process reportd command on the Panorama management server
so that it can successfully query PA-7000 Series firewalls running
a PAN-OS 7.1 release.Do not use the debug skip-condor-reports no
command to work around this issue if you use Panorama running a
PAN-OS 8.0 release to manage a PA-7000 Series firewall running a
PAN-OS 7.0 release (see PAN-77033 in the PAN-OS 7.0 or PAN-OS 8.0
Release Notes). |
PAN-76058 This issue is
now resolved (requires content release version 718 or later). See PAN-OS 7.1.11 Addressed Issues. | When migrating URL categories from BrightCloud
to PAN-DB, Panorama does not apply the migration to pre-rules and
post-rules. |
PAN-75881 | A regression introduced in PAN-OS 7.1.9 causes
the firewall dataplane to restart in certain cases when combined
with content updates. For details, including the relevance of content
release version 709, refer to the associated Customer Advisory. |
PAN-75512 | The firewall doesn't decrypt VPN traffic for
packets of certain sizes if you set the Encryption algorithm to
aes-256-gcm in the IPSec Crypto profile used for the VPN tunnel
(Network > Network Profiles > IPSec Crypto). Workaround: Select
an Encryption algorithm other than aes-256-gcm. |
PAN-75358 | Firewalls configured to use a SafeNet hardware
security module (HSM) server successfully create a support file
when you export support file from the web interface but they incorrectly
return the following error message: op command for client cryptod
time out as client is not available. This issue also occurs when
requesting the support file using the request hsm support-info CLI
command but you can confirm that the support info file was created
successfully by using a different HSM-related command, such as show
hsm state , after you request the HSM support file. |
PAN-75044 | As of PAN-OS 7.1.9, the PA-200 firewalls no
longer store the previous WildFire content package after a WildFire
content update. As a result, the option to revert to the previous
WildFire package is no longer available on the web interface. However,
the CLI command for this task (request wildfire downgrade install
previous) was not removed and now results in an error message (downgrade
job failed). |
PAN-75005 | Loading a configuration other than running-config.xml
when downgrading from PAN-OS 7.1.8 to a PAN-OS 7.0 release removes
authentication profiles from GlobalProtect portals and gateways,
which causes an auto-commit failure. Workaround: Select
running-config.xml when downgrading from PAN-OS 7.1.8 to a PAN-OS
7.0 release. |
PAN-74886 | Panorama does not push a shared address object
to firewalls when the object is part of a dynamic address group
that uses a tag. |
PAN-74652 | After a firewall successfully installs a content
update received from Panorama, Panorama displays a failure message
for the update if the associated job ID on the firewall is higher
than 65536. |
PAN-74632 | The firewall does not clear IP address-to-username
mappings or username-to-group mappings after reaching the limit
for the number of user groups (100,000), which causes commit failures
with the errors user-id is not registerd and ser-ID manager was
reset. Commit is required to reinitialize User-ID. |
PAN-74293 | The firewall drops sessions after only 30 seconds
of idle traffic instead of after the session timeout associated
with the application. |
PAN-74139 | On the PA-500 firewall, insufficient memory
allocation causes SSL decryption errors that result in SSL session
failures, and Traffic logs display the Session End Reason as decrypt-error
or decrypt-cert-validation. |
PAN-74054 | On firewalls in an active/passive HA configuration,
a link-monitoring failure causes a delay in OSPF convergence on
the firewall that becomes active after HA failover. Workaround: Set
the Promotion Hold Time and Additional Master Hold Up Time to 0ms
in the HA configuration (Device > High Availability > Election Settings). |
PAN-72894 | Panorama does not display HA firewalls (Panorama
> Managed Devices) after the configd process stops. |
PAN-72342 | End users who ignore the Duo V2 authentication
prompt until it times out can still authenticate successfully to
a GlobalProtect portal configured for two-factor authentication. |
PAN-71765 | In PAN-OS 7.1.7, deactivating a VM-Series firewall
from Panorama completes successfully, but the web interface does
not update to show that deactivation is complete. Workaround: View
deactivation status from Managed Devices (Panorama > Managed Devices). |
PAN-71485 | A firewall in FIPS-CC mode reboots in maintenance
mode after you download GlobalProtect Client software that is listed
under Device > GlobalProtect Client but is unavailable on the Palo
Alto Networks Update Server. |
PAN-71217 | The Panorama log collector does not support
the server-verification CLI configuration, thereby preventing you
from using the CLI to install content and software updates in a
secure manner. Workaround: Use the log collector CLI command
request license api-key delete and then install content and software
updates from Panorama. |
PAN-71215 | In PAN-OS 7.1.7, when deactivating a VM-Series
firewall from Panorama, if Panorama has the Verify Update Server
Identity setting enabled (Panorama > Setup > Services > Verify Update
Server Identity), but the firewall has the setting disabled (Device
> Setup > Services), deactivation on the firewall does not complete
successfully and the firewall becomes unreachable. Workaround: Ensure
Panorama and the VM-Series firewall both have the Verify Update
Server Identitysetting enabled before deactivating the firewall. |
PAN-70323 | Firewalls running in FIPS-CC mode do not allow
import of SHA-1 CA certificates even when the private key is not
included; instead, firewalls display the following error: Import of <cert name> failed . Unsupported
digest or keys used in FIPS-CC mode. |
PAN-70119 | The firewall maps users to the Kerberos Realm
defined in authentication profiles (Device > Authentication Profiles)
instead of extracting the realm from Kerberos tickets. |
PAN-69874 | (PAN-OS 7.1.5 and later releases only) When
the PAN-OS XML API sends user mappings with no timeout value to
a firewall that has the Enable User Identification Timeout option
disabled, the firewall assigns the mappings a timeout of 60 minutes
instead of never. |
PAN-69367 | The firewall incorrectly generates packet diagnostic
logs and captures packets for sessions that are not part of a packet
filter (Monitor > Packet Capture). |
PAN-69340 | When you use a license authorization code (capacity
license or a bundle) to bootstrap a VM-Series firewall, the capacity
license is not applied. This issue occurs because the firewall does
not reboot after the license is applied. Workaround: Use
the request restart software CLI command or reboot the firewall
manually to activate the session capacity for the VM-Series model. |
PAN-68974 | On PA-3000 Series firewalls, you cannot configure
a QoS Profile to have a maximum egress bandwidth (Egress Max) higher
than 1Gbps for an aggregate group interface (Network > Network Profiles
> QoS Profile). |
PAN-67987 | The GlobalProtect agent fails to connect using
a client certificate if the intermediate CA is signed using the
ECDSA hash algorithm. |
PAN-67544 | When a Multicast Forwarding Information Base
(MFIB) times out, the packet processing process (flow_ctrl) stops,
which intermittently causes the firewall dataplane to restart. |
PAN-67079 | In PAN-OS 7.1.6, SSL sessions are discarded
if the server certificate chain size exceeds 23KB. See Changes to
Default Behavior for more information about this issue. Workaround: Exclude
the affected site from decryption. Refer to live.paloaltonetworks.com/t5/Learning-Articles/How-to-Exclude-a-Site-from-SSL-Decryption/ta-p/56738. |
PAN-66997 | On PA-7000 Series and PA-5000 Series firewalls,
users who access applications over SSL VPN or IPSec tunnels through
GlobalProtect experienced one-directional traffic. |
PAN-64725 | On PA-7000 Series firewalls and Panorama Log
Collectors, log collection processes consume excess memory and do
not process logs as expected. This issue occurs when DNS response
times are slow and scheduled reports contain fields that require
DNS lookups. Workaround: Use the debug management-server
report-namelookup disable CLI command to disable DNS lookups for
reporting purposes. |
PAN-63908 | SSH sessions are incorrectly subjected to a
URL category lookup even when SSH decryption is not enabled. As
a result, SSH traffic is blocked when you enable forward proxy and
configure a deny rule to match all traffic whose URL category is
Unknown. |
PAN-63905 | Installing a content update or committing configuration
changes on the firewall causes RTP sessions that were created from
predict sessions to move from an active state to a discard state. |
PAN-62453 | Entering vSphere maintenance mode on a VM-Series
firewall without first shutting down the Guest OS for the agent
VMs causes the firewall to shut down abruptly, and results in issues
after the firewall is powered on again. Refer to Issue 1332563 in
the VMware release notes: www.vmware.com/support/pubs/nsx_pubs.htmlWorkaround:
VM-Series firewalls are Service Virtual Machines (SVMs) pinned to
ESXi hosts and should not be migrated. Before you enter vSphere
maintenance mode, use the VMware tools to ensure a graceful shutdown
of the VM-Series firewall. |
PAN-61834 (101429) | The firewall captures packets of IP addresses
that are not included in the packet filter (Monitor > Packet Capture). |
PAN-61724 (101293) | The Network Monitor report (Monitor > App Scope
> Network Monitor) displays only partial data when you select Source
or Destination for a data set that includes a large number of source
or destination IP addresses and usernames. However, the report does
display all data as expected when you instead select Application
or Application Category for a large data set. |
PAN-59996 (99050) | VM-Series firewalls don't apply NAT translation
to the ports in the via and contact headers of Session Initiation
Protocol (SIP) sessions after you enable Dynamic IP and Port (DIPP)
NAT. |
PAN-59614 (98576) | In PAN-OS 7.1 and later releases, the maximum
number of address objects you can resolve for an FQDN is increased
from 10 of each address type (IPv4 and IPv6) to a maximum of 32
each. However, the combination of IPv4 and IPv6 addresses cannot
exceed 512B; if it does, addresses that are not included in the
first 512B are dropped and not resolved. |
PAN-59298 (98164) | If you delete the proxy server configuration
on the firewall for the AutoFocus service, the configuration remains. Workaround: Use
the request restart software CLI command or reboot the firewall
to clean up the proxy server configuration. |
PAN-59258 (98112) | For a firewall in an HA active/active configuration,
session timeouts for some traffic unexpectedly refresh after a commit
or HA sync attempt. |
PAN-58872 (97584) | The automatic license deactivation workflow
for firewalls with direct internet access does not work. Workaround: Use
the request license deactivate key features <name> mode manual
CLI command to Deactivate a Feature License or Subscription Using
the CLI. To Deactivate a VM, choose Complete Manually (instead of
Continue) and follow the steps to manually deactivate the VM. |
PAN-57629 (95846) | Deleting the default administrator account
on a VM-Series firewall in AWS causes the firewall to go into maintenance
mode. This occurs because, to reboot successfully, the firewall
requires the SSH key associated with the administrator account (the
private key— ssh-key —used to provision the firewall in AWS). |
PAN-57546 (95723) | If you configure the GlobalProtect portal or
gateway to authenticate using an authentication sequence and then
specify a domain\user in the User/User Group settings of an agent
configuration, authentication using secure encrypted cookies will
fail. |
PAN-57218 (95260) | The pan-comm option for restarting the dataplane
communication process is not available in the debug software restart
process operational CLI command. |
PAN-56820 (94695) | By default, the AutoFocus URL in the AutoFocus
settings (Device > Setup > Management) is pre-configured with the
correct URL for connecting to AutoFocus but the firewall will fail
to connect to AutoFocus if you don't manually re-enter the URL.
This issue occurs only when you initially configure AutoFocus settings
(for example, after performing a factory reset of the firewall or
after upgrading to PAN-OS 7.1). Workaround: When initially
enabling AutoFocus threat intelligence on the firewall, you must
delete the default AutoFocus URL and manually re-enter the address
(https://autofocus.paloaltonetworks.com:10443). |
PAN-56303 (93882) | The VM-Series for Azure is supported in the
Azure Resource Manager (ARM) environment only. You cannot export
the VM-Series firewall or its VHD disk image from Azure and deploy
it in a local or private data center. Also, you cannot re-import
a VM-Series firewall or its VHD disk image into the ARM environment. |
PAN-56217 (93752) | You cannot configure multiple DNS proxy objects
that specify for the firewall to listen for DNS requests on the
same interface (Network > DNS Proxy > Interfaces). If multiple DNS
proxy objects are configured with the same interface, only the first
DNS proxy object settings are applied. Workaround: If there
are DNS proxy objects configured with the same interface, you must
modify the DNS proxy objects so that each object specifies unique
interfaces:
|
PAN-55825 (93097) | Performing an AutoFocus remote search that
is targeted to a PAN-OS firewall or Panorama does not work correctly
when the search condition contains a single or double quotation
mark. |
PAN-55754 (92979) | The Administrator Use Only option (Template
> Device > Radius Profile) is not available in PAN-OS 7.1.0 or PAN-OS
7.1.1. |
PAN-55472 (92472) | During the connection of a satellite to the
GlobalProtect gateway, the Online Certificate Status Protocol (OCSP)
verification for the GlobalProtect certificate fails because the
OCSP response does not contain the signature certificate. |
PAN-55437 (92423) | High availability (HA) for VM-Series firewalls
does not work in AWS regions that do not support the signature version
2 signing process for EC2 API calls. Unsupported regions include
AWS EU (Frankfurt) and Korea (Seoul). |
PAN-55253 (92094) | The firewall does not display the SaaS Application
Usage report (Monitor > PDF Reports > SaaS Application Usage) if
you Close the job execution status dialog (appears when you click
Run Now to generate a SaaS report) and move to another tab and continue
to Commit changes before the SaaS report finishes generating. |
PAN-55203 (92015) | When you change the reporting period for a
scheduled report, such as the SaaS Application Usage PDF report,
the report can have incomplete or no data for the reporting period. Workaround: If
you need to change the reporting period for any scheduled report,
create a new report for the desired time period instead of modifying
the time period on an existing report. |
PAN-55121 (91885) | If you create a log filter by clicking a value
in the Destination Country or Source Country column of a log page
(such as the Monitor > Logs > Traffic page), the filter does not
work because the filter string uses the country name instead of
the country code. This issue occurs only when the value is a country;
the filter works for other types of regions (such as city names). Workaround: Manually
change the country name to the country code in the filter string
(for example, change United States to US). |
PAN-55019 (91726) | If a call manager or SIP proxy is in a different
zone than either the called or the calling party, using the hold
and resume feature can result in one-way audio. Workaround: If
using NAT, configure the call manager and local phone in the same
zone. |
PAN-54806 (91395) | Simultaneous transfer of large files from two
different SMB servers over a GlobalProtect connection from a Windows
8 client causes the connection to fail. Workaround: In
PAN-OS 7.1.2 and later releases, enable Heuristics on Windows 8
clients or set the tunnel interface MTU size to 1,300 to avoid this
issue. |
PAN-54660 (91171) | When the firewall is processing a high volume
of BFD sessions for routing peers that use BGP, OSPF or RIP, and
the firewall is also processing a high volume of packets that belong
to existing sessions and are not offloaded, the BFD sessions to
those peers will flap when the firewall receives a content update. |
PAN-54611 (91086) | There is an issue where PA-7000 Series firewalls
experience BGP disconnections because the firewall fails to send
keepalive messages to neighbors within specified timers. |
PAN-54606 (91079) | An ungraceful reboot on a VM-Series firewall
causes Dynamic IP address information to get out of sync. |
PAN-54319 (90596) | The FPGA intermittently fails to initialize
on PA-5000 Series firewalls. |
PAN-54254 (90496) | In Traffic logs, the following session end
reasons for Captive Portal or a GlobalProtect SSL VPN tunnel indicate
the incorrect reason for session termination: decrypt-cert-validation,
decrypt-unsupport-param, or decrypt-error. |
PAN-54153 (90326) | The botnet log cleanup job on a PA-7000 Series
firewall runs two hours before the system-generated botnet reports
are triggered, which results in empty or no botnet reports when
no logs are collected between jobs. |
PAN-54100 (90256) | Decrypted SSH sessions are not mirrored to
the decrypt mirror interface as expected. |
PAN-53897 (89925) | Tarball images for bootstrapping firewalls
that are created using a Mac OS (BSD-based tar format) are incompatible
with the Debian-based tar format used by PAN-OS firewalls. Workaround: Use
a Windows system to create a tarball image that is compatible with
the firewalls. |
PAN-53825 (89818) | For the VM-Series NSX edition firewall, when
you add or modify an NSX service profile zone on Panorama, you must
perform a Panorama commit and then perform a device group commit
with the Include Device and Network Templates option selected. To
successfully redirect traffic to the VM-Series NSX edition firewall,
you must perform both a Template and a Device Group commit when
you modify the zone configuration to ensure that the zones are available
on the firewall. |
PAN-53663 (89552) | When you open the SaaS Application Usage Report
(Monitor > PDF Reports > SaaS Application Usage) on multiple tabs
in a browser, each for a different virtual system (vsys), and you
attempt to export PDFs from each tab, only the first request is
accurate; all successive attempts will result in PDFs that are duplicates
of the first report. Workaround: Export only one PDF at
a time and wait for that export process to finish before you trigger
the next export request. |
PAN-53601 (89460) | A Panorama management server running on an
M-Series appliance cannot connect to a SafeNet Network or nCipher
nShield Connect hardware security module (HSM). |
PAN-52067 (86828) | When you push configurations to a specific
device group, the Panorama web interface displays a commit failure
message (commit timed out) even though the operation succeeded. |
PAN-51969 (86666) | On the NSX Manager, when you unbind an NSX
Security Group from an NSX Security Policy rule, the dynamic tag
and registered IP address are updated on Panorama but are not updated
on the VM-Series firewalls. Workaround: To push the Dynamic
Address Group updates to the VM-Series firewalls, you need to manually
synchronize the configuration with the NSX Manager. (Panorama >
VMware Service Manager, and select NSX Config-Sync). |
PAN-51952 (86640) | If a security group overlap occurs in an NSX
Security policy where the same security group is weighted with a
higher and a lower priority value, the traffic may be redirected
to the wrong service profile (VM-Series firewall instance). This
issue occurs because an NSX Security policy with a higher weight
does not always take precedence over a policy with a lower weight. Workaround: Make
sure that members that are assigned to a security group are not
overlapping with another security group and that each security group
is assigned to a unique NSX Security policy rule. This allows you
to ensure that NSX Security policy does not redirect traffic to the
wrong service profile (VM-Series firewall). |
PAN-51870 (86501) | When using the CLI to configure the management
interface as a DHCP client, the commit fails if you do not provide
all four DHCP parameters in the command. For a successful commit
when using the set deviceconfig system type dhcp-client command,
you must include each of the following parameters: accept-dhcp-domain,
accept-dhcp-hostname, send-client-id, and send-hostname. |
PAN-51869 (86500) | Canceling pending commits does not immediately
remove them from the commit queue. The commits remain in the queue
until PAN-OS dequeues them. |
PAN-51673 (86159) | BFD sessions are not established between two
RIP peers when there are no RIP advertisements. Workaround: Enable
RIP on another interface to provide RIP advertisements from a remote
peer. |
PAN-51216 (85458) | The NSX Manager fails to redirect traffic to
the VM-Series firewall when you define new Service Profile zones
for NSX on Panorama. This issue occurs intermittently on the NSX
Manager when you define security rules to redirect traffic to the
new service profiles that are available for traffic introspection
and results in the following error: Firewall configuration is not in sync with NSX Manager. Conflict with Service Profile Oddhost on service (Palo Alto Networks NGFW) when binding to host<name> . |
PAN-51181 (85397) | A Palo Alto Networks firewall, M-100 appliance,
or WF-500 appliance configured to use FIPS operational mode will
fail to boot when rebooting after an upgrade to PAN-OS 7.0 or later
releases. Workaround: Enable FIPS and Common Criteria support
on all Palo Alto Networks firewalls and appliances before you upgrade
to a PAN-OS 7.0 or later release. |
PAN-51122 (85315) | For the VM-Series firewall, if you manually
reset a heartbeat failure alarm on the vCenter server to indicate
that the VM-Series firewall is healthy (change color to green),
the vCenter server does not trigger a heartbeat failure alarm again. |
PAN-50973 (85086) | FIPS-CC mode is not supported on the VM-Series
firewall on Microsoft Hyper-V. Although the option for FIPS-CC mode
is displayed in the maintenance mode menu, you cannot enable this
option. |
PAN-50677 (84641) | The firewall does not update some processes
as expected (such as mgmtsrvr, reportd, logd, and pan_log_receiver)
when you specify a new DNS server (Device > Setup > Services [>
Global ]), which causes the firewall to continue forwarding some
DNS requests to the previously configured DNS server instead of
the current one. |
PAN-50651 (84594) | On PA-7000 Series firewalls, one data port
must be configured as a log card interface because the traffic and
logging capabilities of this platform exceed the capabilities of
the management port. A log card interface performs WildFire file-forwarding
and log forwarding for syslog, email, and SNMP and these services
require DNS support. If you have set up a custom service route for
the firewall to use to perform DNS queries, services using the log
card interface might not be able to generate DNS requests. This
is only an issue if you’ve configured the firewall to use a service
route for DNS requests, and in this case, you must perform the following
workaround to enable communication between the firewall data plane
and the log card interface. Workaround: Enable the DNS
Proxy on the firewall, and do not specify an interface for the DNS
proxy object (leave the field Network > DNS Proxy > Interface clear).
See the steps to enable DNS proxy or use the CLI command set deviceconfig
system dns-setting dns-proxy-object. |
PAN-50641 (84569) | Enabling or disabling BFD for BGP or changing
a BFD profile that a BGP peer uses causes the connection to the
BGP peer to flap. |
PAN-50197 (83722) | Destination-based service routes do not work
for RADIUS authentication servers. Workaround: Use service-specific
service routes instead of destination-based service routes for RADIUS
authentication servers. |
PAN-50186 (83702) | WildFire Analysis reports do not display as
expected in the WildFire Analysis Report tab (Monitor > Logs > WildFire
Submissions > Detailed Log View) on PA-7000 Series firewalls running
PAN-OS 7.0.2 and later releases. Workaround: Use the WildFire
portal (https://wildfire.paloaltonetworks.com) or the WildFire API
to retrieve WildFire Analysis reports. |
PAN-50038 (83446) | When you enable jumbo frames on a VM-Series
firewall in AWS using the set deviceconfig setting jumbo-frame mtu
configuration mode CLI command, the maximum transmission unit (MTU)
size on the interfaces does not increase. The MTU on each interface
remains at a maximum value of 1500 bytes. |
PAN-48565 (80589) | The VM-Series firewall on Citrix SDX does not
support jumbo frames. |
PAN-48456 (80387) | IPv6-to-IPv6 Network Prefix Translation (NPTv6)
is not supported when configured on a shared gateway. |
PAN-48346 (80177) | The URL block page does not display as expected
when proxied requests from client use CONNECT method. |
PAN-47969 (79462) | If you log in to Panorama as a Device Group
and Template administrator and rename a device group, the Panorama
> Device Groups page no longer displays any device groups. Workaround: After
you rename a device group, perform a commit, log out, and log back
in; the page then displays the device groups with the updated values. |
PAN-47073 (77850) | Web pages using the HTTP Strict Transport Security
(HSTS) protocol sometimes do not display properly for end users. Workaround: End
users must import an appropriate forward-proxy-certificate for their
browsers. |
PAN-46344 (76601) | When you use a Mac OS Safari browser, client
certificates will not work for Captive Portal authentication. Workaround: On
a Mac OS system, instruct end users to use a different browser (for
example, Mozilla Firefox or Google Chrome). |
PAN-45793 (75806) | On a firewall with multiple virtual systems,
if you add an authentication profile to a virtual system and give
the profile the same name as an authentication sequence in Shared,
reference errors occur. The same errors occur if the profile is
in Shared and the sequence with the same name is in a virtual system. Workaround: When
creating authentication profiles and sequences, always enter unique
names, regardless of their location. For existing authentication
profiles and sequences with similar names, rename the ones that
are currently assigned to configurations (for example, a GlobalProtect
gateway) to ensure uniqueness. |
PAN-44616 (73997) | On the ACC > Network Activity tab, if you add
the label Unknown as a global filter, the filter gets added as A1
and query results display A1 instead of Unknown. |
PAN-44400 (73674) | The link on a 1Gbps SFP port on a VM-Series
firewall deployed on a Citrix SDX server does not come up when successive
failovers are triggered. This behavior is only observed in an active/active
HA configuration. Workaround: Use a 10Gbps SFP port instead
of the 1Gbps SFP port on the VM-Series firewall deployed on a Citrix
SDX server. |
PAN-44300 (73518) | WildFire analysis reports cannot be viewed
on firewalls running PAN-OS 6.1 release versions if connected to
a WF-500 appliance in Common Criteria mode that is running PAN-OS
7.0 or later releases. |
PAN-43000 (71624) | Vulnerability detection of SSLv3 fails when
SSL decryption is enabled. This occurs when you attach a Vulnerability
Protection profile (that detects SSLv3—CVE-2014-3566) to a Security
policy rule and that Security policy rule and an SSL Decryption
policy rule are configured on the same virtual system in the same
zone. After performing SSL decryption, the firewall sees decrypted
data and no longer sees the SSL version number. In this case, the
SSLv3 vulnerability is not identified. Workaround: PAN-OS
7.0 introduced enhancements to SSL Decryption that enable you to
prohibit the inherently weaker SSL/TLS versions, which are more
vulnerable to attacks. For example, you can use a Decryption Profile
to enforce a minimum protocol version of TLS 1.2 or select Block sessions
with unsupported versions to disallow unsupported protocol versions
(Objects > Decryption Profile > SSL Decryption > SSL Forward Proxy
and/or SSL Inbound Inspection). |
PAN-42131 (70319) | Typing user group names instead of selecting
from a drop-down when configuring policy rules disrupts the enforcement
of rules that are based on those groups in cases where the firewall
has not finished processing group mappings retrieved from an LDAP
server. Workaround: The best practice when configuring
group-based policy rules is to first commit any changes to group
mapping configurations, verify that the firewall has processed the
groups it retrieved (run the show user group CLI command), and then
select the groups from a drop-down instead of typing the group names. |
PAN-41558 (69458) | When you use a firewall loopback interface
as a GlobalProtect gateway interface, traffic is not routed correctly
for third-party IPSec clients, such as strongSwan. Workaround: Use
a physical firewall interface instead of a loopback firewall interface
as the GlobalProtect gateway interface for third-party IPSec clients.
Alternatively, configure the loopback interface that is used as
the GlobalProtect gateway to be in the same zone as the physical ingress
interface for third-party IPSec traffic. |
PAN-40842 (68330) | When you configure a firewall to retrieve a
WildFire signature package, the System log shows unknown version
for the package. For example, after a scheduled WildFire package
update, the system log shows: WildFire package upgraded from version
<unknown version> to 38978-45470. This is a cosmetic issue only
and does not prevent the WildFire package from installing. |
PAN-40714 (68095) | If you access Device > Log Settings on a device
running a PAN-OS 7.0 or later release and then use the CLI to downgrade
the device to PAN-OS 6.1 or an earlier release and reboot, an error
message appears the next time you access Log Settings. This occurs
because PAN-OS 7.0 and later releases display Log Settings in a
single page whereas PAN-OS 6.1 and earlier releases display the
settings in multiple sub-pages. To clear the message, navigate to
another page and return to any Log Settings sub-page; the error
will not recur in subsequent sessions. |
PAN-40130 (66976) | In the WildFire Submissions logs, the email
recipient address is not correctly mapped to a username when configuring
LDAP group mappings that are pushed in a Panorama template. |
PAN-40079 (66887) | The VM-Series firewall on KVM, for all supported
Linux distributions, does not support the Broadcom network adapters
for PCI pass-through functionality. |
PAN-40075 (66879) | The VM-Series firewall on KVM running on Ubuntu
12.04 LTS does not support PCI pass-through functionality. |
PAN-39728 (66233) | The URL logging rate is reduced when HTTP header
logging is enabled in the URL Filtering profile (Objects > Security
Profiles > URL Filtering > <URL Filtering profile> > Settings). |
PAN-39636 (66059) | Regardless of the Time Frame you specify for
a scheduled custom report on a Panorama M-Series appliance, the
earliest possible start date for the report data is effectively
the date when you configured the report. For example, if you configure
the report on the 15th of the month and set the Time Frame to Last
30 Days, the report that Panorama generates on the 16th will include
only data from the 15th onward. This issue applies only to scheduled
reports; on-demand reports include all data within the specified
Time Frame. Workaround: To generate an on-demand report,
click Run Now when you configure the custom report. |
PAN-39501 (65824) | Unused NAT IP address pools are not cleared
after a single commit, so a commit fails if the combined cache of
unused pools, existing used pools, and new pools exceeds the memory
limit. Workaround: Commit a second time, which clears the
old pool allocation. |
PAN-38584 (63962) | Configurations pushed from Panorama 6.1 and
later releases to firewalls running PAN-OS 6.0.3 or earlier PAN-OS
6.0 releases will fail to commit due to an unexpected Rule Type
error. This issue is caused by the new Rule Type setting in Security
policy rules that was not included in the upgrade transform and,
therefore, the new rule types are not recognized on devices running
PAN-OS 6.0.3 or earlier releases. Workaround: Only upgrade
Panorama to version 6.1 or later releases if you are also planning
to upgrade all managed firewalls running PAN-OS 6.0.3 or an earlier
PAN-OS 6.0 release to a PAN-OS 6.0.4 or later release before pushing
a configuration to the devices. |
PAN-38255 (63186) | If you perform a factory reset on a Panorama
virtual appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug software
restart management-server CLI command. |
PAN-37511 (60851) | Due to a limitation related to the Ethernet
chip driving the SFP+ ports, PA-5050 and PA-5060 firewalls will
not perform link fault signaling as standardized when a fiber in
the fiber pair is cut or disconnected. |
PAN-37177 (59856) | After deploying the VM-Series firewall, when
the firewall connects to Panorama, you must issue a Panorama commit
to ensure that Panorama recognizes the firewall as a managed device.
If you reboot Panorama without committing the changes, the firewall
will not connect back to Panorama; although the device group will
display the list of devices, the device will not display in Panorama
> Managed Devices. Further, if Panorama is configured in an HA
configuration, the VM-Series firewall is not added to the passive
Panorama peer until the active Panorama peer synchronizes the configuration.
During this time, the passive Panorama peer will log a critical
message: vm-cfg: failed to process registration from svm device.
vm-state: active. This message is logged until you commit the changes
on the active Panorama, which then initiates synchronization between
the Panorama HA peers and the VM-Series firewall is added to the
passive Panorama peer. Workaround: To reestablish the
connection to the managed devices, commit your changes to Panorama
(click Commit and select Commit Type Panorama). In case of an HA
setup, the commit will initiate the synchronization of the running
configuration between the Panorama peers. |
PAN-37127 (59749) | On the Panorama web interface, the Policies
> Security > Post Rules > Combined Rules Preview window does not
display post rules and local rules for managed devices. |
PAN-37044 (59573) | Live migration of the VM-Series firewall is
not supported when you enable SSL decryption using the SSL forward
proxy method. Use SSL inbound inspection if you need support for
live migration. |
PAN-36730 (58839) | (VM-Series for NSX firewalls only) When deleting
the VM-Series configuration, all VMs are deleted successfully; however,
sometimes a few instances still remain in the datastore. Workaround: Manually
delete the VM-Series firewalls from the datastore. |
PAN-36728 (58833) | (VM-Series for NSX firewalls only) In some
scenarios, traffic from newly added guests or virtual machines is
not steered to the VM-Series NSX edition firewall even when the
guests belong to a Security Group and are attached to a Security
Policy that redirects traffic to that VM-Series firewall. Workaround: Reapply
the Security Policy on the NSX Manager. |
PAN-36727 (58832) | A VM-Series firewall on an ESXi host fails
to deploy with an error message: Invalid OVF Format in Agent Configuration. Workaround: Use
the following command to restart the ESX Agent Manager process on
the vCenter Server: /etc/init.d/vmware-vpxd tomcat-restart. |
PAN-36433 (58260) | If an HA failover occurs on Panorama at the
time that the NSX Manager is deploying the VM-Series NSX edition
firewall, the licensing process fails with the error: vm-cfg: failed
to process registration from svm device. vm-state: active. Workaround: Delete
the unlicensed instance of the VM-Series firewall on each ESXi host
and then redeploy the Palo Alto Networks next-generation firewall
service from the NSX Manager. |
PAN-36409 (58202) | When viewing the Session Browser (Monitor >
Session Browser), using the global refresh option (top right corner)
to update the list of sessions causes the Filter menu to display
incorrectly and clears any previously selected filters. Workaround: To
maintain and apply selected filters to an updated list of sessions,
click the green arrow to the right of the Filters field instead
of the global (or browser) refresh option. |
PAN-36394 (58170) | (VM-Series for NSX firewalls only) When the
datastore is migrated for a guest, all current sessions are no longer
steered to the VM-Series firewall. However, all new sessions are
secured properly. |
PAN-36393 (58168) | When deploying the VM-Series firewall, the
Task Console displays Error while enabling agent. Cannot complete
the operation. See the event log for details. This error displays
even for a successful deployment. You can ignore the message if
the VM-Series firewall is successfully deployed. |
PAN-36333 (58049) | The Service dialog for adding or editing a
service object in the web interface displays the incorrect port
range for both source and destination ports: 1-65535. The correct
port range is 0-65535 and specifying port number 0 for either a
source or destination port is successful. |
PAN-36289 (57954) | If you deploy the VM-Series firewall and then
assign the firewall to a template, the change is not recorded in
the bootstrap file. Workaround: Delete the Palo Alto Networks
NGFW Service on the NSX Manager, and verify that the template is
specified on Panorama > VMware Service Manager, register the service,
and re-deploy the VM-Series firewall. |
PAN-36088 (57614) | When an ESXi host is rebooted or shut down,
the functional status of the guests is not updated. Because the
IP address is not updated, the dynamic tags do not accurately reflect
the functional state of the guests that are unavailable. |
PAN-36049 (57533) | The vCenter Server/vmtools displayed the IP
Address for a guest incorrectly after vlan tags were added to an
Ethernet port. The display did not accurately show the IP addresses
associated with the tagged Ethernet port and the untagged Ethernet
port. This issue was seen on some Linux OS versions such as Ubuntu. |
PAN-35903 (57265) | When you edit a traffic introspection rule
(to steer traffic to the VM-Series firewall) on the NSX Manager,
an invalid (tcp) port number error—or invalid (udp) port number
error—displays when you remove the destination (TCP or UDP) port. Workaround: Delete
the rule and add a new one. |
PAN-35875 (57205) | When defining traffic introspection rules (to
steer traffic to the VM-Series firewall) on the NSX Manager, either
the source or the destination for the rule must reference the name
of a Security Group; you cannot create a rule from any to any Security
Group. Workaround: To redirect all traffic to the VM-Series
firewall, you must create a Security Group that includes all the
guests in the cluster. Then you can define a security policy that
redirects traffic from and to the cluster so that the firewall can
inspect and enforce policy on the east-west traffic. |
PAN-35874 (57203) | Duplicate packets are being steered to the
VM-Series firewall. This issue occurs if you enable distributed
vSwitch for steering in promiscuous mode. Workaround: Disable
promiscuous mode. |
PAN-34966 (55586) | On a VM-Series NSX edition firewall, when adding
or removing a Security Group (Container) that is bound to a Security
Policy, Panorama does not get a dynamic update of the added or removed
Security Group. Workaround: On Panorama > VMware Service
Manager, click Synchronize Dynamic Objects to initiate a manual
synchronization to get the latest update. |
PAN-34855 (55393) | On a VM-Series NSX edition firewall, Dynamic
Tags (update) do not reflect the actual IP address set on the guest.
This issue occurs because the vCenter Server cannot accurately view
the IP address of the guest. |
PAN-33316 (52361) | Adding or removing ports on the Citrix SDX
server after deploying the VM-Series firewall can cause a configuration
mismatch on the firewall. To avoid the need to reconfigure the interfaces,
consider the total number of data ports that you require on the
firewall and assign the relevant number of ports on the SDX server
when deploying the VM-Series firewall. For example, if you assign
ports 1/3 and 1/4 on the SDX server as data interfaces on the VM-Series
firewall, the ports are mapped to eth1 and eth2. If you then add
port 1/1 or 1/2 on the SDX server, eth1 will be mapped to 1/1 or
1/2, eth2 will be mapped to 1/3 and eth3 to1/4. If ports 1/3 and
1/4 were set up as a virtual wire, this remapping will require you to
reconfigure the network interfaces on the firewall. |
PAN-31832 (49742) | The following issues apply when configuring
a firewall to use a hardware security module (HSM):
|
PAN-31593 (49322) | After you configure a Panorama M-Series appliance
for HA and synchronize the configuration, the Log Collector of the
passive peer cannot connect to the active peer until you reboot
the passive peer. |
PAN-29441 (45464) | The Panorama virtual appliance does not write
summary logs for traffic and threats as expected after you enter
the clear log command. Workaround: Reboot Panorama management
server (Panorama > Setup > Operations) to enable summary logs. |
PAN-29411 (45424) | In some configurations, when you switch context
from Panorama and access the web interface of a managed device,
you are unable to upgrade the PAN-OS software image. Workaround: Use
the Panorama > Device Deployment > Software tab to deploy and install
the software image on the managed device. |
PAN-29385 (45391) | You cannot configure the management IP address
on an M-100 appliance while it is operating as the secondary passive
peer in an HA pair. Workaround: To set the IP address for
the management interface, you must suspend the active Panorama peer,
promote the passive peer to active state, change the configuration,
and then reset the active peer to active state. |
PAN-29053 (44937) | By default, the hostname is not included in
the IP header of syslog messages sent from the firewall. However,
some syslog implementations require this field to be present. Workaround: Enable
the firewall to include the IP address of the firewall as the hostname
in the syslog header by selecting Send Hostname in Syslog (Device
> Setup). |
PAN-28794 (44571) | If a Panorama Log Collector MGT port is configured
with an IPv4 address and you want to have only an IPv6 address configured,
you can use the Panorama web interface to configure the new IPv6
address but you cannot use Panorama to remove the IPv4 address. Workaround: Configure
the MGT port with the new IPv6 address and then apply the configuration
to the Log Collector and test connectivity using the IPv6 address
to ensure that you do not lose access when you remove the IPv4 address.
After you confirm the Log Collector is accessible using the IPv6
address, go to the CLI on the Log Collector and remove the IPv4
address (using the delete deviceconfig system ip-address command) and
then commit your changes. |
PAN-25101 (39623) | If you add a Decryption policy rule that instructs
the firewall to block SSL traffic that was not previously being
blocked, the firewall continues to forward the traffic that is not,
yet, decrypted. Workaround: Use the debug dataplane reset
ssl-decrypt exclude-cache command to clear the SSL decrypt exclude
cache. |
PAN-25046 (39543) | SSH host keys used for SCP log export are stored
in the known hosts file on the firewall. In an HA configuration,
the SCP log export configuration is synchronized with the peer device,
but the known host file is not synchronized. When a failover occurs,
the SCP log export fails. Workaround: Log in to each peer
in HA and Test SCP server connection to confirm the host key so
that SCP log forwarding continues to work after a failover. |
PAN-23732 (37751) | When you use Panorama templates to schedule
a log export (Device > Scheduled Log Export) to an SCP server, you
must log in to each managed device and Test SCP server connection
after the template is pushed. The connection is not established
until the firewall accepts the host key for the SCP server. |
PAN-20656 (33612) | Attempts to reset the master key from the web
interface (Panorama > Master Key and Diagnostics) or the CLI on
Panorama will fail. However, this should not cause a problem when
pushing a configuration from Panorama to a device because it is
not necessary for the keys to match. |
PAN-20162 (32908) | If a client PC uses RDP to connect to a server
running remote desktop services and the user logs in to the remote
server with a different username, when the User-ID agent queries
the Active Directory server to gather user to IP mapping from the
security logs, the second username will be retrieved. For example,
if UserA logs in to a client PC and then logs in to the remote server
using the username for UserB, the security log on the Active Directory
server will record UserA, but will then be updated with UserB. The
username UserB is then picked up by the User-ID agent for the user
to IP mapping information, which is not the intended user mapping. |
Recommended For You
Recommended Videos
Recommended videos not found.