PAN-OS 8.0.0 Addressed Issues
PAN-OS® 8.0.0 addressed issues
Fixed an issue where several dataplane processes stopped responding on the firewall after it applied SSL Forward Proxy Decryption policy to traffic that then traversed a VPN tunnel.
Fixed an issue where exporting botnet reports failed with the following error: Missing report job id.
Fixed an issue where configuring a source address exclusion in Reconnaissance Protection tab under zone protection profile was not allowed.
Fixed an issue where an LDAP profile did not use the configured port; the profile used the default port, instead.
Fixed an issue where the intrazone block rule shadowed the universal rule that has different source and destination zones.
Fixed an issue where the DNS Proxy feature did not work because the associated process (dnsproxy) stopped running on a firewall that had an address object (ObjectsAddress) with the same FQDN as one of the Static Entries in a DNS proxy configuration (NetworkDNS Proxy).
Fixed an issue with the passive firewall in a high availability (HA) configuration that had LACP pre-negotiation enabled where the firewall stopped correctly processing LACP BPDU packets through an interface that had previously physically flapped.
Fixed an issue where, if you configured a User-ID agent with an FQDN instead of an IP address (DeviceUser IdentificationUser-ID Agents), the firewall generated a System log with the wrong severity level (informational instead of high) after losing the connection to the User-ID agent.
Fixed an issue where the scp export stats-dump report did not run correctly because source (src) and destination (dst) options were determined to be invalid arguments.
Fixed an issue where performing a log query or log export with a specific number of logs caused the management server to stop responding. This occurred only when the number of logs was a multiple of 64 plus 63. For example, 128 is a multiple of 64 and if you add 63 to 128 that equals 191 logs. In this case, if you performed a log query or export and there were 191 logs, the management server would stop responding.
Fixed an issue on a virtual wire where, if you enabled Link State Pass Through (NetworkVirtual Wires), there were significant delays in link-state propagation or even instances where an interface stayed down permanently even when ports were re-enabled on the neighbor device.
A security-related fix was made to address an information disclosure issue that was caused by a firewall that did not properly validate certain permissions when administrators accessed the web interface over the management (MGT) interface (CVE-2017-7644).
Fixed an issue on an M-Series appliance in Panorama mode where shared service groups did not populate in the service pull down when attempting to add a new item to a security policy. The issue occurred when the drop down contained 5,000 or more entries.
A security-related fix was made to prevent inappropriate information disclosure to authenticated users (CVE-2017-5583).
Fixed an issue where firewalls running in FIPS-CC mode did not allow import of SHA-1 CA certificates even when the private key was not included; instead, firewalls displayed the following error:
Import of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode.
Fixed an issue where running the validate option on a candidate configuration in Panorama caused changes to the running configuration on the managed device. The configuration change occurred after a subsequent FQDN refresh occurred.
Fixed an issue where the firewall failed to forward system logs to Panorama when the dataplane was under severe load.
Fixed an issue where the hyphen ("-") character was not supported in a DNS proxy domain name (NetworkDNS Proxy<dns-proxy-name>DNS Proxy Rules<rule-name>Domain Name").
Fixed an issue where committing a configuration with several thousand Layer 3 subinterfaces caused the dataplane to stop responding.
Fixed an issue where performing a device group commit from a Panorama server running version 7.1 to a managed firewalls running PAN-OS 6.1 failed to commit when the custom spyware profile action was set to Drop. With this fix, Panorama translates the action from Drop to Drop packets for firewalls running PAN-OS 6.1, which allows the device group commit to succeed.
Fixed an issue where the Remote Users link for a gateway (NetworkGlobalProtectGateways) became inactive and prevented you from reopening the User Information dialog if you closed the dialog using the Esc key instead of clicking Close.
Fixed an issue where customizing the block duration for threat ID 40015 in a Vulnerability Protection profile did not adhere to the defined block interval. For example, if you set Number of Hits (SSH hello messages) to 3 and perseconds to 60, after three consecutive SSH hello messages from the client, the firewall failed to block the client for the full 60 seconds.
Fixed an issue where CSV exports for Unified logs (MonitorLogsUnified) had no log entries if you limited the effective queries to one log type.
Fixed an issue where custom threat reports failed to generate data when you specified Threat Category for either the Group By or Selected Column setting.
Fixed an issue where navigating to the IPSec tunnel configuration in a Panorama template caused the Panorama management web interface to stop responding and displayed a 502 Bad Gateway error.
Fixed an issue where handling out-of-order TCP FIN packets resulted in dropped packets due to TCP reassembly that was out-of-sync.
Fixed an issue where the firewall did not populate User-ID mappings based on the defined Syslog Parse profiles (DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupSyslog Filters).
A security-related fix was made to address CVE-2016-5195.
The show netstat CLI command was removed in the 7.1 release for Panorama, Panorama log collector, and WildFire. With this fix, the show netstat command is reintroduced.
Fixed an issue where the GlobalProtect agent failed to connect using a client certificate if the intermediate CA is signed using the ECDSA hash algorithm.
Fixed an issue where a process (all_pktproc) stopped responding because a race condition occurred when closing sessions.
Fixed an issue where the firewall did not properly mask the Auth Password and Priv Password for an SNMPv3 server profile (DeviceServer ProfilesSNMP Trap) when you viewed the configuration change in a Configuration log.
In PAN-OS 7.0 and 7.1 releases, a restriction was added to prevent an administrator from configuring OSPF router ID 0.0.0.0. This restriction is removed in PAN-OS 8.0.
Fixed an issue where the firewall displayed a validation error after Panorama imported the firewall configuration and then pushed the configuration back to the firewall so it could be managed by Panorama. This issue occurred because log forwarding profiles were not replaced with the profiles configured in Panorama. With this fix, Panorama will properly remove the existing configuration on the managed firewall before applying the pushed configuration.
Fixed an issue where the web interface displayed an obsolete flag for the nation of Myanmar.
Fixed an issue where the firewall discarded SSL sessions when the server certificate chain size exceeded 23KB.
Fixed an issue where PAN-OS deleted critical content files when the management plane ran out of memory, which caused commit failures until you updated or reinstalled the content.
A security-related fix was made to address a Cross Site-Scripting (XSS) vulnerability on the management web interface (CVE-2017-5584).
Fixed an issue where extended packet captures were consuming an excessive amount of storage space in /opt/panlogs.
Fixed an issue where the status of a tunnel interface remained down even after disabling the tunnel monitoring option for IPSec tunnels.
Fixed an issue where the Commit Scope column in the Commit window was empty after manually uploading and installing a content update and then committing. Although the content update was not listed under Commit Scope, the commit continued and showed 100% complete.
Fixed an issue where vsys-specific custom response pages (Captive portal, URL continue, and URL override) did not display; they were replaced by shared response pages, instead.
Fixed an issue on the Panorama virtual appliance where the third-party backup software BackupExec failed to back up a quiesced snapshot of Panorama (Panorama in a temporary state where all write operations are flushed). With this fix, the VMware Tools bundled with Panorama supports the quiescing option.
Fixed an issue where an internal buffer could be overwritten, causing the management plane to stop responding.
Fixed an issue where firewalls in an HA configuration did not synchronize the Layer 2 MAC table; after failover, the MAC table was rebuilt only on the peer that became active, which caused excessive packet flooding.
Fixed an issue where a zone with the Type set to Virtual Wire (NetworkZones) dropped all incoming traffic when you configured the Zone Protection profile for that zone with a Strict IP Address Check (NetworkNetwork ProfilesZone ProtectionPacket Based Attack ProtectionIP Drop).
Fixed an issue where the test authentication CLI command was incorrectly sending vsys-specific information to the User-ID process for group-mapping query that allowed the authentication test to succeed when it should have failed.
Fixed an issue where the firewall failed to send a RADIUS access request after changing the IP address of the management interface.
Error message is now displayed when installing apps package manually from file on passive Panorama.
Fixed an issue where User-ID failed to update the allow list for a group name that was larger than 128 bytes.
Fixed an issue where H.323-based video calls failed when using source NAT (dynamic or static) due to incorrect translation of the destCallSignalAddress payload in the H.225 call setup.
Fixed an issue where creation of IGMP sessions failed due to a timeout issue.
Fixed an issue where firewall displays inconsistent shadow rule warnings during a commit for QOS policies.
Fixed an issue on PA-5000 Series firewalls where the dataplane stopped responding due to a race condition during hardware offload.
Fixed an issue on PA-7000 Series firewalls in an HA configuration where the NPC 40Gbps (QSFP) Ethernet interfaces on the passive peer displayed link activity on a neighboring device (such as a switch) to which they connected even though the interfaces were down on the passive peer.
Fixed an issue where the firewall did not generate a log when a content update failed or was interrupted.
Fixed an issue where SSH sessions were incorrectly subjected to a URL category lookup even when SSH decryption was disabled. With this fix, SSH traffic is not subject to a URL category lookup when SSH decryption is disabled.
Fixed an issue where User activity reports on Panorama did not include any entries when there was a space in the Device Group name.
Fixed an issue where the wrong source zone was used when logging vsys-to-vsys sessions.
Fixed an issue on PA-7000 Series firewalls where group mappings did not populate when the group include list was pushed from Panorama.
Fixed an issue on VM-Series firewalls where enabling software QoS resulted in dropped packets under heavy traffic conditions. With this fix, VM-Series firewalls no longer drop packets due to heavy loads with software QoS enabled and software QoS performance in general is improved for all Palo Alto Networks firewalls.
Fixed an issue where a commit validation error displayed when pushing a template configuration with a modified WildFire file-size setting. With this fix, commit validation takes place on the managed firewall that tries to commit new template values.
Fixed an issue where establishing an LDAP connection over a slow or unstable connection caused commits to fail when you enabled TLS. With this fix, if you enable TLS, the firewall does not attempt to establish LDAP connections when you perform a commit.
Fixed an issue where a process (cdb) intermittently restarted, which prevented jobs from completing successfully.
Fixed an issue on PA-7000 Series firewalls in an HA active/passive configuration where the show high-availability path-monitoring command always showed the NPC as slot 1 even though the path monitoring IP address was assigned to an interface in a different NPC slot. This occurred only when the path monitoring IP address was assigned to an interface in an Aggregate Ethernet (AE) interface group and the interface group was in a slot other than slot 1.
Fixed an issue where the GlobalProtect agent failed to authenticate using a client certificate that had a signature algorithm that was not SHA1/SHA256. With this fix, the firewall provides support for the SHA384 signature algorithm for client-based authentication.
Fixed an issue where Authentication Override in the GlobalProtect portal configuration didn't work when the certificate used for encrypting and decrypting cookies was generated using RSA 4,096 bit keys.
Fixed an issue where the firewall matched traffic to a URL category and on first lookup, which caused some traffic to be matched to the wrong security profile. With this fix, the firewall matches traffic to URL categories a second time to ensure that traffic is matched to the correct security profile.
Fixed an issue on PA-3000 Series and PA-5000 Series firewalls where the dataplane stopped responding when a session crossed vsys boundaries and could not find the correct egress port. This issue occurred when zone protection was enabled with a SYN Cookies action (NetworkZone ProtectionFlood Protection).
Fixed an issue where a custom scheduled report configured per device was empty when exported.
Fixed an issue on the passive peer in an HA configuration where LACP flapped when the link state was set to shutdown/auto and pre-negotiation was disabled.
Fixed an issue where end users either did not see the Captive Portal web form or saw a page displaying raw HTML code after requesting an application through a web proxy because the HTTP body content length exceeded the specified size in the HTTP Header Content-Length.
Fixed an issue where the web interface (ObjectsDecryption ProfileSSL DecryptionSSL Protocol SettingsEncryption Algorithms) still displayed the 3DES encryption algorithm as enabled even after you disabled it.
Fixed an issue where data filtering logs (MonitorLogsData Filtering) do not take into account the file direction (upload or download) so it was not possible to differentiate uploaded files from downloaded files in the logs. With this fix, you configure the file direction (upload, download, or both) in ObjectsSecurity ProfilesData Filtering and select the Direction column in MonitorLogsData Filtering to view the file direction in the logs.
Fixed an issue where User-ID consumed a large amount of memory when the firewall experienced a high rate of incoming IP address-to-username mapping data and there were more than ten redistribution client firewalls at the same time.
Fixed an issue on firewalls in an HA active/active configuration where the floating IP address was not active on the secondary firewall after the link went down on the primary firewall.
Fixed an issue where read-only superusers were able to view threat packet captures (pcaps) on the firewall but received an error (File not found) when they attempted to export certain types of pcap files (threat, threat extpcap, app, and filtering).
Fixed an issue where changing the RSA key from a 2,048-bit key to a 1,024-bit key forced the encryption algorithm to change from SHA256 to SHA1 for SSL forward proxy decryption.
Added check to not include all the applications in the Application filter if no application category is selected by the user. User have to explicitly add all the categories to create an application filter with all the applications.
Fixed an issue where an application filter with no categories selected caused the firewall to perform slowly because the filter defaulted to include all categories (ObjectsApplication Filters). With this fix, you cannot configure an application filter without selecting one or more categories.
Added support in the certificate profile to also configure a non CA certificate as an additional certificate to verify the OCSP response received for certificate status validation.
The OCSP Verify CA field in the certificate profile has been changed to OCSP Verify Certificate.
Fixed an issue where renaming an address object caused the commit to a Device Group to fail.
Fixed an issue where the Panorama application database did not display all applications in the browser.
Enhanced dynamic IP NAT translation to prevent conflicts between different packet processors and improve dynamic IP NAT pool utilization.
Fixed an issue where firewall administrators with custom roles (Admin Role profiles) could not download content or software updates.
Fixed an issue where commits failed on the firewall after upgrading from a PAN-OS 6.1 release due to incorrect settings for the HexaTech VPN application on the firewall. With this fix, upgrading from a PAN-OS 6.1 release to a PAN-OS 8.0.0 or later release does not cause commit failures related to these settings.
Fixed an issue where administrators were unable to fully utilize the maximum of 64 address objects per FQDN due to the 512B DNS server response packet size; specified addresses that were not included in the first 512B were dropped and not resolved. With this fix, the size of the DNS server response packet is increased to 4,096B, which fully supports the maximum 64 combined address objects per FQDN (up to 32 each IPv4 and IPv6 addresses).
Fixed an issue where configuring too many applications and individual ports in a security rule caused the firewall to stop responding. With this fix, the firewall continues responding and sends the following error message:
Error: Security Policy '58636_rule' is exceeding maximum number of combinations supported for service ports(51) and applications(2291). To fix this, please convert this Security Policy into multiple policies by either splitting applications or service ports. Error: Failed to parse security policy (Module: device) Commit failed
Fixed an issue where custom reports using threat summary were not populated.
Fixed an issue where users were matched to the incorrect security policies.
Fixed an issue where CSV exports for Unified logs (MonitorLogsUnified) displayed information in the wrong columns.
Fixed an issue where the firewall acted as a DHCP relay and wireless devices on a VLAN did not receive a DHCP address (all other devices on the VLAN did receive a DHCP address). With this fix, all devices on a VLAN receive a DHCP address when the firewall acts as a DHCP relay.
Fixed an issue where OSPFv3 link-state updates were sent with the incorrect OSPF checksum when the OSPF packet needed to advertise more link-state advertisements (LSAs) than fit into a 1,500-byte packet. With this fix, the firewall sends the correct OSPF checksum to neighboring switches and routers even when the number of LSAs doesn’t fit into a 1,500-byte packet.
Fixed an issue where an HTTP 416 error appeared when trying to download updates to a client from an IBM BigFix update server.
Fixed an issue where the SNMP OID ifHCOutOctets did not contain the expected data.
Fixed an issue where DNS proxy static entries stopped working when there were duplicate entries in the configuration.
Fixed an issue where the sum of all link aggregation group (LAG) interfaces was greater than the value of the Aggregate Ethernet (AE) interface.
Fixed an issue for VM-Series firewalls on Microsoft Hyper-V where, although the FIPS-CC mode option was visible in the maintenance mode menu, you could not enable it. With this fix, FIPS-CC mode is supported for and can be enabled from the maintenance mode menu in VM-Series firewalls on Microsoft Hyper-V.
Fixed an issue where the maximum transmission unit (MTU) size on the interfaces did not increase as expected when you enabled jumbo frames on a VM-Series firewall in AWS using the set deviceconfig setting jumbo-frame mtu configuration mode CLI command (the MTU on each interface remained at a maximum value of 1,500 bytes).
Fixed an issue on PA-200 firewalls where the Panorama dynamic update schedule ignored the currently installed dynamic update version and installed unnecessary dynamic updates.
Fixed a cosmetic issue where, when you configured a firewall to retrieve a WildFire signature package, the System log showed unknown version for that package. For example, after a scheduled WildFire package update, the System log showed:
WildFire package upgraded from version <unknown version> to 38978-45470.