End-of-Life (EoL)
PAN-OS 8.0.10 Addressed Issues
PAN-OS® 8.0.10 addressed issues
Issue ID | Description |
|---|---|
WF500-4625 | Fixed an issue where the WF-500 appliance
provided no option to configure the master key. With this fix, you
can use the request master-key new-master-key CLI
command to configure the master key.<key> lifetime <lifetime> |
WF500-4363 | Fixed an issue where firewalls and Panorama
management servers could not retrieve reports from a WF-500 appliance
due to an interruption in its data migration after you upgraded
the appliance from a PAN-OS 7.1 release to a PAN-OS 8.0 or later
release. With this fix, you can run the new debug device data-migration status CLI
command on the WF-500 appliance after each upgrade to verify data migration
finished successfully (output is Migration inMySQL is successful ).
Don't perform additional upgrades on the WF-500 appliance until
the data migration finishes. |
PAN-95504 | Fixed an issue on the firewall and Panorama
management server where the web interface became unresponsive because
the management server process ( mgmtsrvr ) restarted
after you set its debugging level to debug (through
the debug management-server on debug CLI command). |
PAN-95197 | Fixed an issue where mobile endpoints that
used GPRS Tunneling Protocol (GTP) lost traffic and had to reconnect
because the firewall dropped the response message that a Gateway
GPRS support node (GGSN) sent for a second Packet Data Protocol
(PDP) context update. |
PAN-94912 | Fixed an issue where PA-5200 Series and
PA-3200 Series firewalls in an active/active HA configuration sent
packets in the wrong direction in a virtual wire deployment. |
PAN-94853 | Fixed an issue where mobile endpoints that
use GPRS Tunneling Protocol (GTP) lose GTP-U traffic because the
firewall dropped all GTP-U packets as packets without sessions after
receiving two GTP requests with the same tunnel endpoint identifiers
(TEIDs) and IP addresses. |
PAN-94379 | Fixed an issue in a Panorama deployment
with a Collector Group containing multiple Log Collectors where
the logging search engine restarted after you changed the SSH keys
used for HA. The disruption to the search engine caused an out-of-memory
condition and caused Panorama to display logs and report data from
only one Log Collector in the Collector Group. |
PAN-94167 | Fixed an issue where a firewall forwarded
a deleted or expired IP address-to-username mapping to another firewall
through User-ID Redistribution but the receiving firewall still
displayed the mapping as an active IP address-to-username mapping. |
PAN-93839 | Fixed an issue where administrators failed
to log in to the firewall due to an out-of-memory condition that
intermittently caused the firewall to continuously restart processes.
(PAN-90143 provided an
initial memory enhancement in PAN-OS 8.0.9 that reduced the frequency
of these out-of-memory events.) |
PAN-93715 | In certain customer environments, enhancements
in PAN-OS 8.0.10 to change fan speeds may help reduce rare cases
of drive communication failure in PA-5200 Series firewalls. |
PAN-93522 | Fixed an issue on firewalls in an HA configuration
where traffic was disrupted because the dataplane restarted unexpectedly
when the firewall concurrently processed HA messages and packets
for the same session. This issue occurred on all firewall models
except the PA-200 and VM-50 firewalls. |
PAN-93336 | Fixed an issue where the firewall intermittently
became unresponsive because the management server process ( mgmtsrvr )
stopped responding during a commit after you configured policy rules
to use external dynamic lists (EDLs). |
PAN-93244 | A security-related fix was made to prevent
a Cross-Site Scripting (XSS) attack through the PAN-OS session browser
(CVE-2018-9335). |
PAN-93234 | Fixed an issue where a Panorama management
server running PAN-OS 8.0 could not switch Context to
a firewall running PAN-OS 7.1 or an earlier release. |
PAN-93233 | Fixed an issue where PA-7000 Series firewalls
caused slow traffic over IPSec VPN tunnels because the firewalls
reordered TCP segments during IPSec encryption when the tunnel session
and inner traffic session were on different dataplanes. |
PAN-93089 | A security-related fix was made to prevent
denial of service (DoS) to the management web interface (CVE-2018-8715). |
PAN-93052 | Fixed an issue where IPv6 BGP peering persisted
(not all BGP routes were withdrawn) after the associated firewall
interface went down. |
PAN-92789 | Fixed an issue where VM-Series firewalls
deleted logs by reinitializing the logging disk when the periodic
file system integrity check (FSCK) took over 30 minutes during bootup. |
PAN-92725 | Fixed an issue on the firewall and Panorama
management server where the web interface became unresponsive because
the cord process restarted after you configured multiple
log forwarding destinations in a single forwarding rule for Correlation
logs (Device Log Settings |
PAN-92678 | Fixed an issue on Panorama management servers
in an HA configuration where, after failover caused the secondary
HA peer to become active, it failed to deploy scheduled dynamic
updates to Log Collectors and firewalls. |
PAN-92487 | Fixed an issue where enabling jumbo frames ( Device Setup Session
|
PAN-92251 | Fixed an issue where VM-Series firewalls
used the incorrect MAC address in DHCP messages initiated from a
subinterface after you configured that subinterface as a DHCP
Client (Network Interfaces Ethernet <subinterface> IPv4 Use Hypervisor Assigned MAC Address option (Device Management Setup General Settings |
PAN-92152 | Fixed an issue where the firewall web interface
displayed a blank Device Licenses |
PAN-92082 | Fixed an issue where the firewall didn't
generate URL Filtering logs for user credential submissions associated
with a URL that was not a container page after you selected Log
container page only and set the User Credential Submission action
to alert for the URL category in a URL Filtering
profile (Objects Security
Profiles URL Filtering <ULR_Filtering_profile> Log
container page only in the URL Filtering profile. |
PAN-92017 | Fixed an issue where Log Collectors that
belonged to a collector group with a space in its name failed to
fully connect to one another, which affected log visibility and
logging performance. |
PAN-91591 | Fixed an issue where the Globalprotect agent
failed to establish a TCP connection with the Globalprotect gateway
when TCP SYN packets had unsupported congestion notification flag
bits set (ECN or CWR). |
PAN-91429 | Fixed an issue where PA-5200 Series firewalls
rebooted when you ran the set ssh service-restart mgmt CLI command
multiple times. |
PAN-91360 | Fixed an issue where, in rare cases, the
firewall couldn't establish connections with GlobalProtect agents
because the rasmgr process stopped responding when
hundreds of end users logged in and out of GlobalProtect at the
same time. |
PAN-91194 | Fixed an issue where a firewall dataplane
running with high CPU utilization became unstable and the all_pktproc process stopped
responding when the firewall processed a high rate of IP addresses
with unknown usernames for User-ID mappings. |
PAN-91098 | Fixed an issue in Layer 2 deployments where
using ECDHE ciphers for SSL Inbound Inspection decryption caused
sessions to become stuck and ultimately time out. |
PAN-91088 | Fixed an issue on PA-7000 Series firewalls
in an HA configuration where the HA3 link did not come up after
you upgraded to PAN-OS 8.0.6 or a later 8.0 release. |
PAN-90959 | Fixed an issue where PA-5200 Series firewalls
dropped offloaded sessions after you selected to Enforce
Symmetric Return in a Policy Based Forwarding (PBF)
policy rule (Policies Policy
Based Forwarding <PBF_rule> Forwarding |
PAN-90954 | A security-related fix was made to prevent
a local privilege escalation vulnerability that could potentially
result in the deletion of files (CVE-2018-9242). |
PAN-90920 | Fixed an issue on PA-5200 Series firewalls
where the dataplane restarted due to an internal path monitoring
failure. |
PAN-90890 | Fixed an issue where the User-ID process ( useridd )
stopped responding when a virtual system connected to more than
one User-ID agent with NT LAN Manager (NTLM) enabled. |
PAN-90842 | Fixed an issue where commits failed after
you changed the default Size Limit to a custom
value for MacOSX files that the firewall forwarded to WildFire (Device Setup WildFire |
PAN-90692 | Fixed an issue where PA-5200 Series firewalls
dropped offloaded traffic after you enabled session offloading (enabled
by default), configured subinterfaces on the second aggregate Ethernet
(AE) interface group ( ae2 ), and configured
QoS on a non-AE interface. |
PAN-90689 | Fixed an issue where firewalls in an active/active
HA configuration dropped packets in IPSec tunnel traffic because
the secondary firewall didn't update the Encapsulating Security
Payload (ESP) sequence number during failover. |
PAN-90688 | Fixed an issue where end users could not
access applications through GlobalProtect Clientless VPN when the
application server used cookie-based session persistence through
HTML metadata. |
PAN-90623 | Fixed an issue where the Panorama management
server displayed template configurations as Out ofSync for
firewalls with multiple virtual systems even though the template configurations
were in sync. |
PAN-90514 | Fixed an issue on firewalls in an active/active
HA configuration where the secondary firewall dropped ping and SSH
sessions on its virtual wire interfaces when the primary firewall
was the session owner. |
PAN-90509 | Fixed an issue where end users could not
access applications through GlobalProtect Clientless VPN because
the firewall failed to respond correctly to a client certificate
request from the application server. |
PAN-90462 | Fixed an issue on the Panorama management
server where System logs displayed null as
the client IP address for the log forwarding connections of PA-7000
Series firewalls that forwarded logs to Panorama. |
PAN-90371 | Fixed an issue where the firewall didn't
record an IP address-to-username mapping for a user who successfully
logged in to the GlobalProtect gateway. |
PAN-90337 | Fixed an issue where Panorama Log Collectors
stopped forwarding URL Filtering logs over TCP to a syslog server
after failing to create the required last-candidatecfg.xml file. |
PAN-90291 | Fixed an issue on Panorama virtual appliances
in Panorama mode that were deployed in an HA configuration with
local Log Collectors in a single Collector Group, where HA failover
caused the logging search engine to stop functioning. This issue
prevented the secondary HA peer from displaying existing logs or
receiving new logs until the search engine recovered. |
PAN-90290 | Fixed an issue on the Panorama management
server where commits failed with schema validation errors. |
PAN-89998 | Fixed an issue where the Panorama management
server stopped receiving new logs from firewalls because delayed
log purging caused log storage on the Log Collectors to reach maximum
capacity. |
PAN-89992 | Fixed an issue where the firewall did not
efficiently handle traffic in which the number of Address Resolution
Protocol (ARP) packets exceeded the processing capacity of the firewall.
With this fix, the firewall handles ARP packets more efficiently. |
PAN-89461 | Fixed an issue where accessing websites
that had normal gzip content-encoding generated multi-level encoding
errors. |
PAN-89353 | Fixed an issue where stale IP address-to-username
mappings in the User-ID cache intermittently prevented the firewall
from refreshing the mappings or creating new ones. |
PAN-89162 | Fixed an issue where commits and content
update installations failed due to memory allocation errors. |
PAN-88908 | Fixed an issue where the Panorama management
server generated custom reports in which the number of lines exceeded
what you specified in the report configuration ( Monitor Manage Custom Reports |
PAN-88880 | Fixed an issue where client browsers stopped
responding after downloading a file that triggered a Security policy
rule with a File Blocking profile in which the Action was continue (Objects Security Profiles FileBlocking |
PAN-88852 | Fixed an issue where VM-Series firewalls
stopped displaying URL Filtering logs after you configured a URL
Filtering profile with an alert action ( Objects Security Profiles URL Filtering |
PAN-88752 | Fixed an issue where User-ID agents configured
to detect credential phishing did not detect passwords that contained
a blank space. |
PAN-88388 | Fixed an issue where you could not export
certificates when you accessed the firewall web interface through
a browser that ran Firefox v56 or later or ran Chrome v66 or later ( Device Certificate Management Certificates Device Certificates |
PAN-88200 | Fixed an issue where firewalls with multiple
virtual systems did not import EDLs that you assigned to policy
rules. |
PAN-87964 | Fixed an issue where the firewall couldn't
render URL content for end users after you configured GlobalProtect
Clientless VPN with a Hostname set to a Layer
3 subinterface or VLAN interface (Network GlobalProtect Portals <portal> Clientless VPN General |
PAN-87926 | Fixed an issue where commit operations took
longer than expected to finish on firewalls that had over 100 policy
rules that referenced tens of thousands of IP addresses. |
PAN-87552 | Fixed an issue where commit validation failed
on firewalls after you disabled the option to Share Unused
Address and Service Objects with Devices on the Panorama
management server, assigned the firewalls to a template stack, and
pushed an interface configuration that referenced an address object
instead of an address that you typed. |
PAN-87520 | Fixed an issue where the Cross-Origin Resource
Sharing (CORS) policy on the firewall allowed requests from other
domains to interact with the firewall through PAN-OS XML API requests
and read responses. With this fix, the CORS policy is disabled on
the firewall. |
PAN-87265 | Fixed an issue where the Panorama management
server displayed no output for the User Activity Report ( Monitor PDF Reports User Activity Report |
PAN-86647 | Fixed an issue on the Panorama management
server where editing the Description of a
shared policy rule and clicking OK caused
the Target setting to revert to Any firewalls
instead of the selected firewalls. |
PAN-86630 | Fixed an issue where the firewall dropped
H.323 gatekeeper-assisted calls after failing to perform NAT translation
of third-party addresses in H.323 messages. |
PAN-85206 | Fixed an issue where VM-Series firewalls
for NSX did not forward files to the WildFire cloud for analysis. |
PAN-83890 | Fixed an issue on the Panorama management
server where you could not preview configuration changes after you
switched Context to a firewall, added an
administrative account to the firewall, and then clicked Commit and Preview
Changes . |
PAN-83361 | Fixed an issue where Panorama Log Collectors
did not receive firewall logs due to incorrect permissions after
you upgraded the Panorama software. |
PAN-82942 | Fixed an issue where the firewall rebooted
because the User-ID process ( useridd ) restarted several
times when endpoints, while requesting services that could not process
HTTP 302 responses (such as Microsoft update services), authenticated
to Captive Portal through NT LAN Manager (NTLM) and immediately disconnected. |
PAN-81751 | Fixed an issue where the firewall displayed
the following error when you tried to log in to the web interface
after a report job took a configuration lock: Timedout while getting config lock. Please try again . |
PAN-81588 | Fixed an issue where the ciphers you specified
for access to the firewall management (MGT) interface didn't work
after a PAN-OS upgrade because the sshd_config file containing the
SSH running configuration became blank. |
PAN-81382 | Fixed an issue where the firewall took longer
than expected to collect group mapping information from Active Directory
groups that had circular nesting ( Device User Identification Group Mapping Settings <group_mapping_configuration> Group Include List |
PAN-80664 | Fixed an issue where the firewall generalizes
messages received from back-end authentication servers instead of
displaying the messages without modification. |
PAN-79695 | Fixed an issue on PA-7000 Series, PA-5200
Series, and PA-5000 Series firewalls where the clear session all filter CLI
command cleared sessions only on dp1 when that dataplane was the
session owner instead of clearing sessions on all dataplanes. With
this fix, the command clears sessions on all dataplanes regardless
of which is the session owner. |
PAN-79317 | Fixed an issue where the firewall failed
to prepare a USB flash drive for bootstrapping when the drive had
8GB or more memory. |
PAN-79071 | Fixed an issue where loading a partial configuration
(using the load config partial CLI command)
changed the port numbers in service and service group objects. |
PAN-78046 | Fixed an issue where only administrators
with the predefined superuser role could specify the Number
of Bits and Digest algorithm
when generating a certificate to be Signed By an External
Authority (CSR) (Device Certificate Management Certificates |
PAN-77229 | Fixed an issue on firewalls with SSL Forward
Proxy decryption enabled where the dataplane restarted due to an
out-of-memory condition after you performed multiple commits. |
PAN-71902 | Fixed an issue where, after you used a configuration
mode CLI command to create a zone without specifying the interface
type ( set zone ),
the firewall web interface displayed the type as layer3 (<zone_name> networkNetwork Zones |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
