End-of-Life (EoL)
PAN-OS 8.0.0 Addressed Issues
PAN-OS® 8.0.0 addressed issues
Issue ID | Description |
---|---|
PAN-76702 | Fixed an issue where several dataplane processes
stopped responding on the firewall after it applied SSL Forward
Proxy Decryption policy to traffic that then traversed a VPN tunnel. |
PAN-72346 | Fixed an issue where exporting botnet reports
failed with the following error: Missing report job id . |
PAN-72242 | Fixed an issue where configuring a source
address exclusion in Reconnaissance Protection tab under zone protection
profile was not allowed. |
PAN-71892 | Fixed an issue where an LDAP profile did
not use the configured port; the profile used the default port,
instead. |
PAN-71615 | Fixed an issue where the intrazone block
rule shadowed the universal rule that has different source and destination
zones. |
PAN-71400 | Fixed an issue where the DNS Proxy feature
did not work because the associated process ( dnsproxy )
stopped running on a firewall that had an address object (Objects Address Static Entries in
a DNS proxy configuration (Network DNS Proxy |
PAN-71384 | Fixed an issue with the passive firewall
in a high availability (HA) configuration that had LACP pre-negotiation
enabled where the firewall stopped correctly processing LACP BPDU
packets through an interface that had previously physically flapped. |
PAN-71311 | Fixed an issue where, if you configured
a User-ID agent with an FQDN instead of an IP address ( Device User Identification User-ID Agents informational instead
of high ) after losing the connection
to the User-ID agent. |
PAN-71307 | Fixed an issue where the scp export stats-dump report
did not run correctly because source (src) and destination (dst)
options were determined to be invalid arguments. |
PAN-71192 | Fixed an issue where performing a log query
or log export with a specific number of logs caused the management
server to stop responding. This occurred only when the number of
logs was a multiple of 64 plus 63. For example, 128 is a multiple
of 64 and if you add 63 to 128 that equals 191 logs. In this case,
if you performed a log query or export and there were 191 logs,
the management server would stop responding. |
PAN-70969 | Fixed an issue on a virtual wire where,
if you enabled Link State Pass Through ( Network Virtual Wires |
PAN-70541 | A security-related fix was made to address
an information disclosure issue that was caused by a firewall that
did not properly validate certain permissions when administrators
accessed the web interface over the management (MGT) interface (CVE-2017-7644). |
PAN-70483 | Fixed an issue on an M-Series appliance
in Panorama mode where shared service groups did not populate in
the service pull down when attempting to add a new item to a security
policy. The issue occurred when the drop down contained 5,000 or
more entries. |
PAN-70428 | A security-related fix was made to prevent
inappropriate information disclosure to authenticated users (CVE-2017-5583). |
PAN-70057 | Fixed an issue where running the validate
option on a candidate configuration in Panorama caused changes to
the running configuration on the managed device. The configuration
change occurred after a subsequent FQDN refresh occurred. |
PAN-69951 | Fixed an issue where the firewall failed
to forward system logs to Panorama when the dataplane was under
severe load. |
PAN-69901 | Fixed an issue where the hyphen ("-") character
was not supported in a DNS proxy domain name ( Network DNS Proxy <dns-proxy-name> DNS Proxy Rules <rule-name> Domain Name |
PAN-69235 | Fixed an issue where committing a configuration
with several thousand Layer 3 subinterfaces caused the dataplane
to stop responding. |
PAN-69194 | Fixed an issue where performing a device
group commit from a Panorama server running version 7.1 to a managed
firewalls running PAN-OS 6.1 failed to commit when the custom spyware
profile action was set to Drop . With this
fix, Panorama translates the action from Drop to Drop packets for
firewalls running PAN-OS 6.1, which allows the device group commit
to succeed. |
PAN-69146 | Fixed an issue where the Remote Users link
for a gateway ( Network GlobalProtect Gateways Close . |
PAN-68873 | Fixed an issue where customizing the block
duration for threat ID 40015 in a Vulnerability Protection profile
did not adhere to the defined block interval. For example, if you
set Number of Hits (SSH hello messages) to 3 and per seconds to 60 ,
after three consecutive SSH hello messages from the client, the
firewall failed to block the client for the full 60 seconds. |
PAN-68831 | Fixed an issue where CSV exports for Unified
logs ( Monitor Logs Unified |
PAN-68823 | Fixed an issue where custom threat reports
failed to generate data when you specified Threat Category for either
the Group By or Selected Column setting. |
PAN-68766 | Fixed an issue where navigating to the IPSec
tunnel configuration in a Panorama template caused the Panorama
management web interface to stop responding and displayed a 502
Bad Gateway error. |
PAN-68658 | Fixed an issue where handling out-of-order
TCP FIN packets resulted in dropped packets due to TCP reassembly
that was out-of-sync. |
PAN-68654 | Fixed an issue where the firewall did not
populate User-ID mappings based on the defined Syslog Parse profiles ( Device User Identification User Mapping Palo Alto Networks
User-ID Agent Setup Syslog Filters |
PAN-68074 | A security-related fix was made to address
CVE-2016-5195. |
PAN-68034 | The show netstat CLI
command was removed in the 7.1 release for Panorama, Panorama log
collector, and WildFire. With this fix, the show netstat command
is reintroduced. |
PAN-67987 | Fixed an issue where the GlobalProtect agent
failed to connect using a client certificate if the intermediate
CA is signed using the ECDSA hash algorithm. |
PAN-67944 | Fixed an issue where a process ( all_pktproc ) stopped
responding because a race condition occurred when closing sessions. |
PAN-67639 | Fixed an issue where the firewall did not
properly mask the Auth Password and Priv Password for
an SNMPv3 server profile (Device Server Profiles SNMP Trap |
PAN-67599 | In PAN-OS 7.0 and 7.1 releases, a restriction
was added to prevent an administrator from configuring OSPF router
ID 0.0.0.0. This restriction is removed in PAN-OS 8.0. |
PAN-67224 | Fixed an issue where the firewall displayed
a validation error after Panorama imported the firewall configuration
and then pushed the configuration back to the firewall so it could
be managed by Panorama. This issue occurred because log forwarding
profiles were not replaced with the profiles configured in Panorama.
With this fix, Panorama will properly remove the existing configuration
on the managed firewall before applying the pushed configuration. |
PAN-67090 | Fixed an issue where the web interface displayed
an obsolete flag for the nation of Myanmar. |
PAN-67079 | Fixed an issue where the firewall discarded
SSL sessions when the server certificate chain size exceeded 23KB. |
PAN-66873 | Fixed an issue where PAN-OS deleted critical
content files when the management plane ran out of memory, which
caused commit failures until you updated or reinstalled the content. |
PAN-66838 | A security-related fix was made to address
a Cross Site-Scripting (XSS) vulnerability on the management web
interface (CVE-2017-5584). |
PAN-66675 | Fixed an issue where extended packet captures
were consuming an excessive amount of storage space in /opt/panlogs. |
PAN-66654 | Fixed an issue where the status of a tunnel
interface remained down even after disabling the tunnel monitoring
option for IPSec tunnels. |
PAN-66531 | Fixed an issue where the Commit Scope column
in the Commit window was empty after manually uploading and installing
a content update and then committing. Although the content update
was not listed under Commit Scope, the commit continued and showed
100% complete. |
PAN-66104 | Fixed an issue where vsys-specific custom
response pages (Captive portal, URL continue, and URL override)
did not display; they were replaced by shared response pages, instead. |
PAN-65918 | Fixed an issue on the Panorama virtual appliance
where the third-party backup software BackupExec failed to back
up a quiesced snapshot of Panorama (Panorama in a temporary
state where all write operations are flushed). With this fix, the VMware
Tools bundled with Panorama supports the quiescing option. |
PAN-64981 | Fixed an issue where an internal buffer
could be overwritten, causing the management plane to stop responding. |
PAN-64884 | Fixed an issue where firewalls in an HA
configuration did not synchronize the Layer 2 MAC table; after failover,
the MAC table was rebuilt only on the peer that became active, which
caused excessive packet flooding. |
PAN-64870 | Fixed an issue where a zone with the Type set
to Virtual Wire (Network Zones Strict IP Address Check (Network Network Profiles Zone Protection Packet Based Attack Protection IP Drop |
PAN-64723 | Fixed an issue where the test authentication CLI
command was incorrectly sending vsys-specific information to the
User-ID process for group-mapping query that allowed the authentication
test to succeed when it should have failed. |
PAN-64638 | Fixed an issue where the firewall failed
to send a RADIUS access request after changing the IP address of
the management interface. |
PAN-64579 | Error message is now displayed when installing
apps package manually from file on passive Panorama. |
PAN-64525 | Fixed an issue where User-ID failed to update
the allow list for a group name that was larger than 128 bytes. |
PAN-64520 | Fixed an issue where H.323-based video calls
failed when using source NAT (dynamic or static) due to incorrect
translation of the destCallSignalAddress payload
in the H.225 call setup. |
PAN-64436 | Fixed an issue where creation of IGMP sessions
failed due to a timeout issue. |
PAN-64419 | Fixed an issue where firewall displays inconsistent
shadow rule warnings during a commit for QOS policies. |
PAN-64081 | Fixed an issue on PA-5000 Series firewalls
where the dataplane stopped responding due to a race condition during
hardware offload. |
PAN-63969 | Fixed an issue on PA-7000 Series firewalls
in an HA configuration where the NPC 40Gbps (QSFP) Ethernet interfaces
on the passive peer displayed link activity on a neighboring device
(such as a switch) to which they connected even though the interfaces
were down on the passive peer. |
PAN-63925 | Fixed an issue where the firewall did not
generate a log when a content update failed or was interrupted. |
PAN-63908 | Fixed an issue where SSH sessions were incorrectly
subjected to a URL category lookup even when SSH decryption was
disabled. With this fix, SSH traffic is not subject to a URL category
lookup when SSH decryption is disabled. |
PAN-63612 | Fixed an issue where User activity reports
on Panorama did not include any entries when there was a space in
the Device Group name. |
PAN-63520 | Fixed an issue where the wrong source zone
was used when logging vsys-to-vsys sessions. |
PAN-63207 | Fixed an issue on PA-7000 Series firewalls
where group mappings did not populate when the group include list
was pushed from Panorama. |
PAN-63054 | Fixed an issue on VM-Series firewalls where
enabling software QoS resulted in dropped packets under heavy traffic
conditions. With this fix, VM-Series firewalls no longer drop packets
due to heavy loads with software QoS enabled and software QoS performance
in general is improved for all Palo Alto Networks firewalls. |
PAN-63013 | Fixed an issue where a commit validation
error displayed when pushing a template configuration with a modified
WildFire file-size setting. With this fix, commit validation takes
place on the managed firewall that tries to commit new template
values. |
PAN-62937 | Fixed an issue where establishing an LDAP
connection over a slow or unstable connection caused commits to
fail when you enabled TLS. With this fix, if you enable TLS, the
firewall does not attempt to establish LDAP connections when you
perform a commit. |
PAN-62797 | Fixed an issue where a process ( cdb ) intermittently
restarted, which prevented jobs from completing successfully. |
PAN-62513 | Fixed an issue on PA-7000 Series firewalls
in an HA active/passive configuration where the show high-availability path-monitoring command
always showed the NPC as slot 1 even
though the path monitoring IP address was assigned to an interface
in a different NPC slot. This occurred only when the path monitoring
IP address was assigned to an interface in an Aggregate Ethernet
(AE) interface group and the interface group was in a slot other
than slot 1. |
PAN-62057 | Fixed an issue where the GlobalProtect agent
failed to authenticate using a client certificate that had a signature
algorithm that was not SHA1/SHA256. With this fix, the firewall
provides support for the SHA384 signature algorithm for client-based
authentication. |
PAN-61877 | Fixed an issue where Authentication Override in
the GlobalProtect portal configuration didn't work when the certificate
used for encrypting and decrypting cookies was generated using RSA
4,096 bit keys. |
PAN-61871 | Fixed an issue where the firewall matched
traffic to a URL category and on first lookup, which caused some
traffic to be matched to the wrong security profile. With this fix,
the firewall matches traffic to URL categories a second time to
ensure that traffic is matched to the correct security profile. |
PAN-61837 | Fixed an issue on PA-3000 Series and PA-5000
Series firewalls where the dataplane stopped responding when a session
crossed vsys boundaries and could not find the correct egress port.
This issue occurred when zone protection was enabled with a SYN Cookies action (Network Zone Protection Flood Protection |
PAN-61813 | Fixed an issue where a custom scheduled
report configured per device was empty when exported. |
PAN-61797 | Fixed an issue on the passive peer in an
HA configuration where LACP flapped when the link state was set
to shutdown/auto and pre-negotiation was disabled. |
PAN-61682 | Fixed an issue where end users either did
not see the Captive Portal web form or saw a page displaying raw
HTML code after requesting an application through a web proxy because
the HTTP body content length exceeded the specified size in the
HTTP Header Content-Length. |
PAN-61465 | Fixed an issue where the web interface ( Objects Decryption Profile SSL Decryption SSL Protocol Settings Encryption Algorithms |
PAN-61365 | Fixed an issue where data filtering logs ( Monitor Logs Data Filtering upload , download ,
or both ) in Objects Security Profiles Data Filtering Monitor Logs Data Filtering |
PAN-61284 | Fixed an issue where User-ID consumed a
large amount of memory when the firewall experienced a high rate
of incoming IP address-to-username mapping data and there were more
than ten redistribution client firewalls at the same time. |
PAN-61252 | Fixed an issue on firewalls in an HA active/active
configuration where the floating IP address was not active on the
secondary firewall after the link went down on the primary firewall. |
PAN-60797 | Fixed an issue where read-only superusers
were able to view threat packet captures (pcaps) on the firewall
but received an error ( File not found )
when they attempted to export certain types of pcap files (threat,
threat extpcap, app, and filtering). |
PAN-60753 | Fixed an issue where changing the RSA key
from a 2,048-bit key to a 1,024-bit key forced the encryption algorithm
to change from SHA256 to SHA1 for SSL forward proxy decryption. |
PAN-60581 | Added check to not include all the applications
in the Application filter if no application category is selected
by the user. User have to explicitly add all the categories to create
an application filter with all the applications. |
PAN-60577 | Fixed an issue where an application filter
with no categories selected caused the firewall to perform slowly
because the filter defaulted to include all categories ( Objects Application Filters |
PAN-60556 | Added support in the certificate profile
to also configure a non CA certificate as an additional certificate
to verify the OCSP response received for certificate status validation. The
OCSP Verify CA field in the certificate profile has been changed to
OCSP Verify Certificate. |
PAN-60402 | Fixed an issue where renaming an address
object caused the commit to a Device Group to fail. |
PAN-60340 | Fixed an issue where the Panorama application
database did not display all applications in the browser. |
PAN-60035 | Enhanced dynamic IP NAT translation to prevent
conflicts between different packet processors and improve dynamic
IP NAT pool utilization. |
PAN-59676 | Fixed an issue where firewall administrators
with custom roles (Admin Role profiles) could not download content
or software updates. |
PAN-59654 | Fixed an issue where commits failed on the
firewall after upgrading from a PAN-OS 6.1 release due to incorrect
settings for the HexaTech VPN application on the firewall. With
this fix, upgrading from a PAN-OS 6.1 release to a PAN-OS 8.0.0
or later release does not cause commit failures related to these
settings. |
PAN-59614 | Fixed an issue where administrators were
unable to fully utilize the maximum of 64 address objects per FQDN
due to the 512B DNS server response packet size; specified addresses
that were not included in the first 512B were dropped and not resolved.
With this fix, the size of the DNS server response packet is increased
to 4,096B, which fully supports the maximum 64 combined address
objects per FQDN (up to 32 each IPv4 and IPv6 addresses). |
PAN-58636 | Fixed an issue where configuring too many
applications and individual ports in a security rule caused the
firewall to stop responding. With this fix, the firewall continues
responding and sends the following error message:
|
PAN-58496 | Fixed an issue where custom reports using
threat summary were not populated. |
PAN-58382 | Fixed an issue where users were matched
to the incorrect security policies. |
PAN-58358 | Fixed an issue where CSV exports for Unified
logs ( Monitor Logs Unified |
PAN-57529 | Fixed an issue where the firewall acted
as a DHCP relay and wireless devices on a VLAN did not receive a
DHCP address (all other devices on the VLAN did receive a DHCP address).
With this fix, all devices on a VLAN receive a DHCP address when
the firewall acts as a DHCP relay. |
PAN-57440 | Fixed an issue where OSPFv3 link-state updates
were sent with the incorrect OSPF checksum when the OSPF packet
needed to advertise more link-state advertisements (LSAs) than fit
into a 1,500-byte packet. With this fix, the firewall sends the
correct OSPF checksum to neighboring switches and routers even when
the number of LSAs doesn’t fit into a 1,500-byte packet. |
PAN-57215 | Fixed an issue where an HTTP 416 error appeared
when trying to download updates to a client from an IBM BigFix update
server. |
PAN-56700 | Fixed an issue where the SNMP OID ifHCOutOctets
did not contain the expected data. |
PAN-56684 | Fixed an issue where DNS proxy static entries
stopped working when there were duplicate entries in the configuration. |
PAN-53659 | Fixed an issue where the sum of all link
aggregation group (LAG) interfaces was greater than the value of
the Aggregate Ethernet (AE) interface. |
PAN-50973 | Fixed an issue for VM-Series firewalls on
Microsoft Hyper-V where, although the FIPS-CC mode option was visible
in the maintenance mode menu, you could not enable it. With this
fix, FIPS-CC mode is supported for and can be enabled from the maintenance
mode menu in VM-Series firewalls on Microsoft Hyper-V. |
PAN-50038 | Fixed an issue where the maximum transmission
unit (MTU) size on the interfaces did not increase as expected when
you enabled jumbo frames on a VM-Series firewall in AWS using the set deviceconfig setting jumbo-frame mtu configuration mode
CLI command (the MTU on each interface remained at a maximum value
of 1,500 bytes). |
PAN-48095 | Fixed an issue on PA-200 firewalls
where the Panorama dynamic update schedule ignored the currently
installed dynamic update version and installed unnecessary dynamic
updates. |
PAN-40842 | Fixed a cosmetic issue where, when you configured
a firewall to retrieve a WildFire signature package, the System
log showed unknown version for that
package. For example, after a scheduled WildFire package update,
the System log showed:
|
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.