PAN-OS 8.0.1 Addressed Issues
PAN-OS 8.0.1 addressed issues
Fixed an issue in a WildFire appliance cluster that had three nodes where decommissioning the active (primary) controller node failed.
Fixed an issue where the direction (dir) parameter used in type=log XML API requests was incorrectly made a required parameter, which caused applications that use the type=log request to fail when the dir argument was not included in the request. With this fix, the direction parameter is again optional.
Fixed an issue where Authentication policy incorrectly matched traffic coming from known users—those included in the Terminal Services (TS) agent user mapping—and displayed the captive portal page. With this fix, only unknown users are directed to the captive portal page.
Fixed an issue where some platforms did not connect to BrightCloud after you upgraded to PAN-OS 8.0.
Fixed an issue where new fields in Threat and HIP Match logs were inserted between existing fields, which disrupted some third-party integrations. With this fix, the new fields are appended at the end of all pre-existing fields.
Fixed an issue where firewalls and Panorama did not forward logs as expected when the local machine time was not set to current local time and was set to a time between current UTC time and current UTC time plus <n>, where <n> is the UTC+<n> value for the current time zone.
Fixed an issue where you could not upgrade VM-Series firewalls on AWS in an HA configuration to PAN-OS 8.0. With this fix, you can upgrade VM-Series firewalls on AWS in an HA configuration to PAN-OS 8.0.1 or a later PAN-OS 8.0 release.
Fixed an issue where you were unable to generate a SAML metadata file for Captive Portal or GlobalProtect when the firewall had multiple virtual systems because there were no virtual systems available for you to select when you clicked the Metadata link associated with an authentication profile.
Fixed an issue where, after you upgraded a firewall to PAN-OS 8.0, the firewall didn't apply updates to the predefined Palo Alto Networks malicious IP address feeds (delivered through the daily antivirus content updates) until after you performed a commit on the firewall. With this fix, changes to the predefined malicious IP address feeds are automatically applied when delivered to the firewall.
Fixed an issue on VM-300, VM-500, and VM-700 firewalls where you were required to commit changes a second time after adding an interface before traffic would pass normally.
Fixed an issue where Panorama did not display any results when you filtered logs or generated reports based on user groups even after you enabled reporting and filtering on groups.
Fixed an issue where the passive Panorama peer in an HA configuration showed shared policy to be out of sync even when the device group commit from the active peer was successful.
Fixed an issue where authentication failed for client certificates signed by a CA certificate that was not listed first in the Certificate Profile configured with client certificate authentication for GlobalProtect portals and gateways.
Fixed an issue where you could not push notifications as an authentication factor if the firewall was integrated with Okta Adaptive as the multi-factor authentication (MFA) vendor.
Fixed an issue where your web browser displayed the error message 400 Bad Request when you tried to access a PAN-OS web interface that shared the same FQDN as the GlobalProtect portal that hosted Clientless VPN applications.
Fixed an issue where the App Scope Change Monitor and Network Monitor reports failed to display data if you filtered by Source or Destination IP addresses when logging rates were high. This fix also addresses an issue where the App Scope Summary report failed to display data for the Top 5 Bandwidth Consuming Sources and Top 5 Threats when logging rates were high.
Improved file-type identification for Office Open XML (OOXML) files, which improves the ability for WildFire to accurately classify OOXML files as benign or malicious.
Fixed an issue where the severity level of the Failed to sync PAN-DB to peer: Peer user failure syslog message was too high. With this fix, the message severity level is info instead of medium.
Fixed an issue in Panorama HA active/passive configurations where Elasticsearch parameters were not pushed to the passive peer.
Fixed an issue where the firewall was unable to mark BFD packets with appropriate DSCP values.
Fixed an issue where the Panorama web interface and CLI displayed a negative value for the Log Storage capacity (PanoramaCollector Groups<Collector_GroupsGeneral).
Fixed an issue where running the clear session all CLI command on a PA-5200 Series firewall in a high availability (HA) configuration caused the firewall to fail over due to an issue with path monitoring.
Fixed an issue where, after you configured a BGP IPv6 aggregate address with an Advertise Filter that had both a prefix filter and a next-hop filter, the firewall advertised only the aggregate address and did not advertise the specific routes that the Advertise Filter covered (NetworkVirtual Routers<router>BGPAggregate<address>Advertise Filters<advertise_filter>).
Fixed an issue where the firewall generated an ECDSA certificate signing request (CSR) using the SHA1 algorithm instead of the selected algorithm.
Fixed an issue where the output of the test authentication authentication-profile CLI command intermittently displayed authentication/authorizationfailed for user for TACACS+ authentication profiles even though the administrator could successfully log in to the web interface or CLI using the same credentials as were specified in the test command.
Fixed an issue on PA-5000 Series firewalls where the dataplane restarted due to specific changes related to certificates or SSL profiles in a GlobalProtect configuration; specifically, configuring a new gateway, changing a certificate linked to GlobalProtect, or changing the minimum or maximum version of the TLS profile linked to GlobalProtect.
Fixed an issue where MAC address table entries with a time-to-live (TTL) value of 0 were not removed as expected, which caused the table to continually increase in size.
Fixed an issue where LDAP authentication failed intermittently due to a race condition.
Fixed an issue with delays of up to 10 seconds before the firewall transmitted the audio/video stream when you set up a VoIP call on a PA-5200 Series firewall using the Session Initiation Protocol (SIP).
Fixed an issue where custom reports did not display results for queries that specified the Negate option, Contains operator, and a Value that included a period (.) character preceding a filename extension.
Fixed an issue where new logs were lost if the log purging process started running before you started log migration after an upgrade to PAN-OS 8.0.
A security-related fix was made to prevent tampering with files that are exported from the firewall web interface (CVE-2017-7217/PAN-SA-2017-0008).
Fixed an issue where SMTP email servers did not receive PDF reports from the firewall because the report emails had line separators that used bare LF instead of CRLF.
Fixed an issue where firewalls running in FIPS-CC mode did not allow import of SHA-1 CA certificates even when the private key was not included; instead, firewalls displayed the following error:
Import of <cert name> failed. Unsupported digest or keys used in FIPS-CC mode.
Fixed an issue where the Panorama web interface and CLI respond slowly when numerous NSX plugins are in progress.
Fixed an issue where the firewall did not properly close a session after receiving a reset (RST) message from the server if the SYN Cookies action was triggered.
Fixed an issue where the URL link included in the email for a SaaS Application Usage report (so that you could retrieve the report from the firewall web interface) triggered third-party spam filters deployed in your network.
Fixed an issue where PAN-OS did not apply the capacity license when you used a license authorization code (capacity license or a bundle) to bootstrap a VM-Series firewall because the firewall did not reboot after the license was applied.
Fixed an issue where the SaaS Application Usage report displayed upload and download bandwidth usage numbers incorrectly in the Data Transfer by Application section.
Fixed an issue where the 7.1 SNMP traps MIB (PAN-TRAPS.my) had an incorrect description for the panHostname attribute.
Fixed an issue on PA-5000 Series firewalls where the dataplanes became unstable when jumbo frames and first packet broadcasting were both enabled. With this fix, first packet broadcasting is disabled by default on PA-5000 Series firewalls.
Fixed an issue where existing users were removed from user-group mapping when the Active Directory (AD) did not return an LDAP Page Control in response to an LDAP refresh, which resulted in the following User-ID (useridd) logs:
debug: pan_ldap_search(pan_ldap.c:602): ldap_parse_result error code: 4 Error: pan_ldap_search(pan_ldap.c:637): Page Control NOT found
Firewalls did not support tunnel content inspection in a virtual-system-to-virtual-system topology.
Fixed an issue where Panorama did not maintains its connections to firewalls if it received logs at a high rate and the logs matched queries and other settings in scheduled reports.
Fixed an issue on Panorama virtual appliances in an HA configuration where, if you enabled log forwarding to syslog, both the active and passive peers sent logs. With this fix, only the active peer sends logs when you enable log forwarding to syslog.
Fixed an issue on firewalls with multiple virtual systems where inner flow sessions installed on dataplane 1 (DP1) failed if you configured tunnel content inspection for traffic in a shared gateway topology. Additionally with this fix, when networking devices behind the shared gateway initiate traffic, that traffic can now reach the networking devices behind the virtual systems.
Fixed an issue for the Apple Safari browser in Private Browsing mode where the firewall did not redirect you to the service or application—even when authentication succeeded—when you requested a service or application that required multi-factor authentication (MFA).
Fixed an issue where the show global-protect-portal statistics CLI command was not supported.
Fixed an issue on the M-500 and M-100 appliances in Panorama mode where emailed custom reports contained no data if you configured a report query that used an Operator set to contains (MonitorManage Custom Reports).
A security-related fix was made to prevent firewall administrators logged in as root from using GNU Wget to access remote servers and write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource (CVE 2016-4971).
Fixed an issue where the dataplane restarted due to a memory leak (mprelay) that occurred if you did not disable LLDP when you disabled an interface with LLDP enabled (NetworkInterfaces<interface>AdvancedLLDP).
Fixed an issue where a QoS profile failed to work as expected when applied to a clear text node configured with an Aggregate Ethernet (AE) source interface that included AE subinterfaces.
Fixed an issue on PA-7000 Series firewalls in an HA active/passive configuration where QoS limits were not correctly enforced on Aggregate Ethernet (AE) subinterfaces.