1. Home
    2. PAN-OS
    3. PAN-OS® Release Notes
    4. PAN-OS 8.0 Addressed Issues
    5. PAN-OS 8.0.0 Addressed Issues
    End-of-Life (EoL)

    PAN-OS 8.0.0 Addressed Issues

    PAN-OS® 8.0.0 addressed issues
    Issue ID
    Description
    PAN-76702
    Fixed an issue where several dataplane processes stopped responding on the firewall after it applied SSL Forward Proxy Decryption policy to traffic that then traversed a VPN tunnel.
    PAN-72346
    Fixed an issue where exporting botnet reports failed with the following error:
    Missing report job id
    .
    PAN-72242
    Fixed an issue where configuring a source address exclusion in Reconnaissance Protection tab under zone protection profile was not allowed.
    PAN-71892
    Fixed an issue where an LDAP profile did not use the configured port; the profile used the default port, instead.
    PAN-71615
    Fixed an issue where the intrazone block rule shadowed the universal rule that has different source and destination zones.
    PAN-71400
    Fixed an issue where the DNS Proxy feature did not work because the associated process (
    dnsproxy
    ) stopped running on a firewall that had an address object (
    Objects
    Address
    ) with the same FQDN as one of the
    Static Entries
     in a DNS proxy configuration (
    Network
    DNS Proxy
    ).
    PAN-71384
    Fixed an issue with the passive firewall in a high availability (HA) configuration that had LACP pre-negotiation enabled where the firewall stopped correctly processing LACP BPDU packets through an interface that had previously physically flapped.
    PAN-71311
    Fixed an issue where, if you configured a User-ID agent with an FQDN instead of an IP address (
    Device
    User Identification
    User-ID Agents
    ), the firewall generated a System log with the wrong severity level (
    informational
     instead of
    high
    ) after losing the connection to the User-ID agent.
    PAN-71307
    Fixed an issue where the
    scp export stats-dump
     report did not run correctly because source (src) and destination (dst) options were determined to be invalid arguments.
    PAN-71192
    Fixed an issue where performing a log query or log export with a specific number of logs caused the management server to stop responding. This occurred only when the number of logs was a multiple of 64 plus 63. For example, 128 is a multiple of 64 and if you add 63 to 128 that equals 191 logs. In this case, if you performed a log query or export and there were 191 logs, the management server would stop responding.
    PAN-70969
    Fixed an issue on a virtual wire where, if you enabled Link State Pass Through (
    Network
    Virtual Wires
    ), there were significant delays in link-state propagation or even instances where an interface stayed down permanently even when ports were re-enabled on the neighbor device.
    PAN-70541
    A security-related fix was made to address an information disclosure issue that was caused by a firewall that did not properly validate certain permissions when administrators accessed the web interface over the management (MGT) interface (CVE-2017-7644).
    PAN-70483
    Fixed an issue on an M-Series appliance in Panorama mode where shared service groups did not populate in the service pull down when attempting to add a new item to a security policy. The issue occurred when the drop down contained 5,000 or more entries.
    PAN-70428
    A security-related fix was made to prevent inappropriate information disclosure to authenticated users (CVE-2017-5583).
    PAN-70057
    Fixed an issue where running the validate option on a candidate configuration in Panorama caused changes to the running configuration on the managed device. The configuration change occurred after a subsequent FQDN refresh occurred.
    PAN-69951
    Fixed an issue where the firewall failed to forward system logs to Panorama when the dataplane was under severe load.
    PAN-69901
    Fixed an issue where the hyphen ("-") character was not supported in a DNS proxy domain name (
    Network
    DNS Proxy
    <dns-proxy-name>
    DNS Proxy Rules
    <rule-name>
    Domain Name
    ").
    PAN-69235
    Fixed an issue where committing a configuration with several thousand Layer 3 subinterfaces caused the dataplane to stop responding.
    PAN-69194
    Fixed an issue where performing a device group commit from a Panorama server running version 7.1 to a managed firewalls running PAN-OS 6.1 failed to commit when the custom spyware profile action was set to
    Drop
    . With this fix, Panorama translates the action from
    Drop
     to
    Drop packets
     for firewalls running PAN-OS 6.1, which allows the device group commit to succeed.
    PAN-69146
    Fixed an issue where the Remote Users link for a gateway (
    Network
    GlobalProtect
    Gateways
    ) became inactive and prevented you from reopening the User Information dialog if you closed the dialog using the Esc key instead of clicking
    Close
    .
    PAN-68873
    Fixed an issue where customizing the block duration for threat ID 40015 in a Vulnerability Protection profile did not adhere to the defined block interval. For example, if you set
    Number of Hits
     (SSH hello messages) to
    3
     and
    per
    seconds
     to
    60
    , after three consecutive SSH hello messages from the client, the firewall failed to block the client for the full 60 seconds.
    PAN-68831
    Fixed an issue where CSV exports for Unified logs (
    Monitor
    Logs
    Unified
    ) had no log entries if you limited the effective queries to one log type.
    PAN-68823
    Fixed an issue where custom threat reports failed to generate data when you specified Threat Category for either the Group By or Selected Column setting.
    PAN-68766
    Fixed an issue where navigating to the IPSec tunnel configuration in a Panorama template caused the Panorama management web interface to stop responding and displayed a 502 Bad Gateway error.
    PAN-68658
    Fixed an issue where handling out-of-order TCP FIN packets resulted in dropped packets due to TCP reassembly that was out-of-sync.
    PAN-68654
    Fixed an issue where the firewall did not populate User-ID mappings based on the defined Syslog Parse profiles (
    Device
    User Identification
    User Mapping
    Palo Alto Networks User-ID Agent Setup
    Syslog Filters
    ).
    PAN-68074
    A security-related fix was made to address CVE-2016-5195.
    PAN-68034
    The
    show netstat
     CLI command was removed in the 7.1 release for Panorama, Panorama log collector, and WildFire. With this fix, the
    show netstat
     command is reintroduced.
    PAN-67987
    Fixed an issue where the GlobalProtect agent failed to connect using a client certificate if the intermediate CA is signed using the ECDSA hash algorithm.
    PAN-67944
    Fixed an issue where a process (
    all_pktproc
    ) stopped responding because a race condition occurred when closing sessions.
    PAN-67639
    Fixed an issue where the firewall did not properly mask the
    Auth Password
     and
    Priv Password
     for an SNMPv3 server profile (
    Device
    Server Profiles
    SNMP Trap
    ) when you viewed the configuration change in a Configuration log.
    PAN-67599
    In PAN-OS 7.0 and 7.1 releases, a restriction was added to prevent an administrator from configuring OSPF router ID 0.0.0.0. This restriction is removed in PAN-OS 8.0.
    PAN-67224
    Fixed an issue where the firewall displayed a validation error after Panorama imported the firewall configuration and then pushed the configuration back to the firewall so it could be managed by Panorama. This issue occurred because log forwarding profiles were not replaced with the profiles configured in Panorama. With this fix, Panorama will properly remove the existing configuration on the managed firewall before applying the pushed configuration.
    PAN-67090
    Fixed an issue where the web interface displayed an obsolete flag for the nation of Myanmar.
    PAN-67079
    Fixed an issue where the firewall discarded SSL sessions when the server certificate chain size exceeded 23KB.
    PAN-66873
    Fixed an issue where PAN-OS deleted critical content files when the management plane ran out of memory, which caused commit failures until you updated or reinstalled the content.
    PAN-66838
    A security-related fix was made to address a Cross Site-Scripting (XSS) vulnerability on the management web interface (CVE-2017-5584).
    PAN-66675
    Fixed an issue where extended packet captures were consuming an excessive amount of storage space in /opt/panlogs.
    PAN-66654
    Fixed an issue where the status of a tunnel interface remained down even after disabling the tunnel monitoring option for IPSec tunnels.
    PAN-66531
    Fixed an issue where the Commit Scope column in the Commit window was empty after manually uploading and installing a content update and then committing. Although the content update was not listed under Commit Scope, the commit continued and showed 100% complete.
    PAN-66104
    Fixed an issue where vsys-specific custom response pages (Captive portal, URL continue, and URL override) did not display; they were replaced by shared response pages, instead.
    PAN-65918
    Fixed an issue on the Panorama virtual appliance where the third-party backup software BackupExec failed to back up a
    quiesced
     snapshot of Panorama (Panorama in a temporary state where all write operations are flushed). With this fix, the VMware Tools bundled with Panorama supports the quiescing option.
    PAN-64981
    Fixed an issue where an internal buffer could be overwritten, causing the management plane to stop responding.
    PAN-64884
    Fixed an issue where firewalls in an HA configuration did not synchronize the Layer 2 MAC table; after failover, the MAC table was rebuilt only on the peer that became active, which caused excessive packet flooding.
    PAN-64870
    Fixed an issue where a zone with the
    Type
     set to
    Virtual Wire
     (
    Network
    Zones
    ) dropped all incoming traffic when you configured the Zone Protection profile for that zone with a
    Strict IP Address Check
     (
    Network
    Network Profiles
    Zone Protection
    Packet Based Attack Protection
    IP Drop
    ).
    PAN-64723
    Fixed an issue where the
    test authentication
     CLI command was incorrectly sending vsys-specific information to the User-ID process for group-mapping query that allowed the authentication test to succeed when it should have failed.
    PAN-64638
    Fixed an issue where the firewall failed to send a RADIUS access request after changing the IP address of the management interface.
    PAN-64579
    Error message is now displayed when installing apps package manually from file on passive Panorama.
    PAN-64525
    Fixed an issue where User-ID failed to update the allow list for a group name that was larger than 128 bytes.
    PAN-64520
    Fixed an issue where H.323-based video calls failed when using source NAT (dynamic or static) due to incorrect translation of the
    destCallSignalAddress
     payload in the H.225 call setup.
    PAN-64436
    Fixed an issue where creation of IGMP sessions failed due to a timeout issue.
    PAN-64419
    Fixed an issue where firewall displays inconsistent shadow rule warnings during a commit for QOS policies.
    PAN-64081
    Fixed an issue on PA-5000 Series firewalls where the dataplane stopped responding due to a race condition during hardware offload.
    PAN-63969
    Fixed an issue on PA-7000 Series firewalls in an HA configuration where the NPC 40Gbps (QSFP) Ethernet interfaces on the passive peer displayed link activity on a neighboring device (such as a switch) to which they connected even though the interfaces were down on the passive peer.
    PAN-63925
    Fixed an issue where the firewall did not generate a log when a content update failed or was interrupted.
    PAN-63908
    Fixed an issue where SSH sessions were incorrectly subjected to a URL category lookup even when SSH decryption was disabled. With this fix, SSH traffic is not subject to a URL category lookup when SSH decryption is disabled.
    PAN-63612
    Fixed an issue where User activity reports on Panorama did not include any entries when there was a space in the Device Group name.
    PAN-63520
    Fixed an issue where the wrong source zone was used when logging vsys-to-vsys sessions.
    PAN-63207
    Fixed an issue on PA-7000 Series firewalls where group mappings did not populate when the group include list was pushed from Panorama.
    PAN-63054
    Fixed an issue on VM-Series firewalls where enabling software QoS resulted in dropped packets under heavy traffic conditions. With this fix, VM-Series firewalls no longer drop packets due to heavy loads with software QoS enabled and software QoS performance in general is improved for all Palo Alto Networks firewalls.
    PAN-63013
    Fixed an issue where a commit validation error displayed when pushing a template configuration with a modified WildFire file-size setting. With this fix, commit validation takes place on the managed firewall that tries to commit new template values.
    PAN-62937
    Fixed an issue where establishing an LDAP connection over a slow or unstable connection caused commits to fail when you enabled TLS. With this fix, if you enable TLS, the firewall does not attempt to establish LDAP connections when you perform a commit.
    PAN-62797
    Fixed an issue where a process (
    cdb
    ) intermittently restarted, which prevented jobs from completing successfully.
    PAN-62513
    Fixed an issue on PA-7000 Series firewalls in an HA active/passive configuration where the
    show high-availability path-monitoring
     command always showed the NPC as
    slot 1
     even though the path monitoring IP address was assigned to an interface in a different NPC slot. This occurred only when the path monitoring IP address was assigned to an interface in an Aggregate Ethernet (AE) interface group and the interface group was in a slot other than slot 1.
    PAN-62057
    Fixed an issue where the GlobalProtect agent failed to authenticate using a client certificate that had a signature algorithm that was not SHA1/SHA256. With this fix, the firewall provides support for the SHA384 signature algorithm for client-based authentication.
    PAN-61877
    Fixed an issue where
    Authentication Override
     in the GlobalProtect portal configuration didn't work when the certificate used for encrypting and decrypting cookies was generated using RSA 4,096 bit keys.
    PAN-61871
    Fixed an issue where the firewall matched traffic to a URL category and on first lookup, which caused some traffic to be matched to the wrong security profile. With this fix, the firewall matches traffic to URL categories a second time to ensure that traffic is matched to the correct security profile.
    PAN-61837
    Fixed an issue on PA-3000 Series and PA-5000 Series firewalls where the dataplane stopped responding when a session crossed vsys boundaries and could not find the correct egress port. This issue occurred when zone protection was enabled with a
    SYN Cookies
     action (
    Network
    Zone Protection
    Flood Protection
    ).
    PAN-61813
    Fixed an issue where a custom scheduled report configured per device was empty when exported.
    PAN-61797
    Fixed an issue on the passive peer in an HA configuration where LACP flapped when the link state was set to shutdown/auto and pre-negotiation was disabled.
    PAN-61682
    Fixed an issue where end users either did not see the Captive Portal web form or saw a page displaying raw HTML code after requesting an application through a web proxy because the HTTP body content length exceeded the specified size in the HTTP Header Content-Length.
    PAN-61465
    Fixed an issue where the web interface (
    Objects
    Decryption Profile
    SSL Decryption
    SSL Protocol Settings
    Encryption Algorithms
    ) still displayed the 3DES encryption algorithm as enabled even after you disabled it.
    PAN-61365
    Fixed an issue where data filtering logs (
    Monitor
    Logs
    Data Filtering
    ) do not take into account the file direction (upload or download) so it was not possible to differentiate uploaded files from downloaded files in the logs. With this fix, you configure the file direction (
    upload
    ,
    download
    , or
    both
    ) in
    Objects
    Security Profiles
    Data Filtering
     and select the Direction column in
    Monitor
    Logs
    Data Filtering
     to view the file direction in the logs.
    PAN-61284
    Fixed an issue where User-ID consumed a large amount of memory when the firewall experienced a high rate of incoming IP address-to-username mapping data and there were more than ten redistribution client firewalls at the same time.
    PAN-61252
    Fixed an issue on firewalls in an HA active/active configuration where the floating IP address was not active on the secondary firewall after the link went down on the primary firewall.
    PAN-60797
    Fixed an issue where read-only superusers were able to view threat packet captures (pcaps) on the firewall but received an error (
    File not found
    ) when they attempted to export certain types of pcap files (threat, threat extpcap, app, and filtering).
    PAN-60753
    Fixed an issue where changing the RSA key from a 2,048-bit key to a 1,024-bit key forced the encryption algorithm to change from SHA256 to SHA1 for SSL forward proxy decryption.
    PAN-60581
    Added check to not include all the applications in the Application filter if no application category is selected by the user. User have to explicitly add all the categories to create an application filter with all the applications.
    PAN-60577
    Fixed an issue where an application filter with no categories selected caused the firewall to perform slowly because the filter defaulted to include all categories (
    Objects
    Application Filters
    ). With this fix, you cannot configure an application filter without selecting one or more categories.
    PAN-60556
    Added support in the certificate profile to also configure a non CA certificate as an additional certificate to verify the OCSP response received for certificate status validation.
    The OCSP Verify CA field in the certificate profile has been changed to OCSP Verify Certificate.
    PAN-60402
    Fixed an issue where renaming an address object caused the commit to a Device Group to fail.
    PAN-60340
    Fixed an issue where the Panorama application database did not display all applications in the browser.
    PAN-60035
    Enhanced dynamic IP NAT translation to prevent conflicts between different packet processors and improve dynamic IP NAT pool utilization.
    PAN-59676
    Fixed an issue where firewall administrators with custom roles (Admin Role profiles) could not download content or software updates.
    PAN-59654
    Fixed an issue where commits failed on the firewall after upgrading from a PAN-OS 6.1 release due to incorrect settings for the HexaTech VPN application on the firewall. With this fix, upgrading from a PAN-OS 6.1 release to a PAN-OS 8.0.0 or later release does not cause commit failures related to these settings.
    PAN-59614
    Fixed an issue where administrators were unable to fully utilize the maximum of 64 address objects per FQDN due to the 512B DNS server response packet size; specified addresses that were not included in the first 512B were dropped and not resolved. With this fix, the size of the DNS server response packet is increased to 4,096B, which fully supports the maximum 64 combined address objects per FQDN (up to 32 each IPv4 and IPv6 addresses).
    PAN-58636
    Fixed an issue where configuring too many applications and individual ports in a security rule caused the firewall to stop responding. With this fix, the firewall continues responding and sends the following error message:
    Error: Security Policy '58636_rule' is exceeding maximum number of combinations supported for 
service ports(51) and applications(2291). To fix this, please convert this 
Security Policy into multiple policies by either splitting applications or service ports. 
Error: Failed to parse security policy 
(Module: device) 
Commit failed
    PAN-58496
    Fixed an issue where custom reports using threat summary were not populated.
    PAN-58382
    Fixed an issue where users were matched to the incorrect security policies.
    PAN-58358
    Fixed an issue where CSV exports for Unified logs (
    Monitor
    Logs
    Unified
    ) displayed information in the wrong columns.
    PAN-57529
    Fixed an issue where the firewall acted as a DHCP relay and wireless devices on a VLAN did not receive a DHCP address (all other devices on the VLAN did receive a DHCP address). With this fix, all devices on a VLAN receive a DHCP address when the firewall acts as a DHCP relay.
    PAN-57440
    Fixed an issue where OSPFv3 link-state updates were sent with the incorrect OSPF checksum when the OSPF packet needed to advertise more link-state advertisements (LSAs) than fit into a 1,500-byte packet. With this fix, the firewall sends the correct OSPF checksum to neighboring switches and routers even when the number of LSAs doesn’t fit into a 1,500-byte packet.
    PAN-57215
    Fixed an issue where an HTTP 416 error appeared when trying to download updates to a client from an IBM BigFix update server.
    PAN-56700
    Fixed an issue where the SNMP OID ifHCOutOctets did not contain the expected data.
    PAN-56684
    Fixed an issue where DNS proxy static entries stopped working when there were duplicate entries in the configuration.
    PAN-53659
    Fixed an issue where the sum of all link aggregation group (LAG) interfaces was greater than the value of the Aggregate Ethernet (AE) interface.
    PAN-50973
    Fixed an issue for VM-Series firewalls on Microsoft Hyper-V where, although the FIPS-CC mode option was visible in the maintenance mode menu, you could not enable it. With this fix, FIPS-CC mode is supported for and can be enabled from the maintenance mode menu in VM-Series firewalls on Microsoft Hyper-V.
    PAN-50038
    Fixed an issue where the maximum transmission unit (MTU) size on the interfaces did not increase as expected when you enabled jumbo frames on a VM-Series firewall in AWS using the
    set deviceconfig setting jumbo-frame mtu
     configuration mode CLI command (the MTU on each interface remained at a maximum value of 1,500 bytes).
    PAN-48095
    Fixed an issue on PA-200 firewalls where the Panorama dynamic update schedule ignored the currently installed dynamic update version and installed unnecessary dynamic updates.
    PAN-40842
    Fixed a cosmetic issue where, when you configured a firewall to retrieve a WildFire signature package, the System log showed
    unknown version
     for that package. For example, after a scheduled WildFire package update, the System log showed:
    WildFire package upgraded from version <unknown version> to 38978-45470.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo