PAN-OS 8.0.11 Addressed Issues
PAN-OS® 8.0.11 addressed issues
Fixed an issue where a Panorama appliance running PAN-OS 8.1.2 was unable to connect to the Logging Service.
Fixed a rare issue where the task manager failed to load in the web interface when a pending job caused subsequent completed jobs to be inappropriately held in memory.
Fixed an issue where PA-7000 Series and PA-5200 Series firewalls intermittently failed to forward logs to Log Collectors or the Logging Service due to DNS resolution failure for the FQDNs of those log receivers.
Fixed an issue where syslog servers misrepresented HIP Match, Authentication, and User-ID logs received from the firewall because the order changed in the first seven syslog fields for those log types. With this fix, the first seven syslog fields are the same for all log types.
Fixed a memory corruption error that caused the dataplane to restart when content decode length was zero.
Fixed an issue where routing FIB entries that were learned from a BGP peer were not deleted when BGP Peering went down.
Fixed an issue where multicast FIB entries were inconsistent across dataplanes, which caused the firewall to intermittently drop multicast packets.
This fix requires the VMware NSX 2.0.4 or a later plugin.
Fixed an issue where VM-Series firewalls for NSX and firewalls in an NSX notify group (PanoramaVMware NSXNotify Group) briefly dropped traffic while receiving dynamic address updates after the primary Panorama in a high availability (HA) configuration failed over.
Fixed an issue where PA-5200 Series firewalls in a high availability (HA) active/active configuration experienced internal packet corruption that caused the firewalls to stop passing traffic when the active member of a cluster came back up as passive after being either suspended or rebooted (moving from tentative to passive state).
Fixed an issue with firewalls in a high availability (HA) configuration where a an HA sync initiated from the active peer caused a race condition while processing the previous request.
Fixed an issue where the Panorama management server exported reports slowly or not at all due to DNS resolution failures.
Fixed an issue where WildFire submissions with a filename that contained %20n or a subject that contained %n caused the management server (mgmtsrvr) process to stop responding.
Fixed an issue where the firewall recorded GPRS Tunneling Protocol (GTP) packets multiple times in firewall-stage packet captures (PCAPs).
Fixed an issue where QSFP+ interfaces (13 and 14) on a PA-7000-20GQ-NPC Network Processing Card (NPC) unexpectedly flapped when the card was booting up.
Fixed an issue where the firewall used an incorrect next hop in the Border Gateway Protocol (BGP) route that it advertised to External BGP (eBGP) peers in the BGP peer group.
Fixed an issue where firewalls intermittently blocked SSL traffic due to a certificate timeout error after you enabled SSL Forward Proxy decryption and selected to Block sessions on certificate status check timeout (ObjectsDecryption Profile<Decryption_profile>SSL DecryptionSSL Forward Proxy).
Fixed an issue where Bidirectional Forwarding Detection (BFD) sessions were active in only one virtual router when two or more virtual routers had active BGP sessions (with BFD enabled) using the same peer IP address.
Fixed an issue where the requestsystem external-list show type ip name <EDL_name> CLI command did not display external dynamic list entries after you restarted the management server (mgmtsrvr) process.
Fixed an issue where the VM-Series firewall for NSX randomly disrupted traffic due to high CPU usage by the pan_task process.
A security-related fix was made to address vulnerabilities related to some SAML implementations (CVE-2018-0486 and CVE-2018-0489). Refer to www.kb.cert.org/vuls/id/475445 for details.
Fixed an issue on PA-200 firewalls where disk space usage was constantly running high and often reaching maximum capacity. With this fix, the PA-200 firewall purges logs more quickly and it no longer requires as much space for monitor daemons.
Fixed an issue where the firewall failed to perform decryption because endpoints tried to resume decrypted inbound perfect forward secrecy (PFS) sessions.
Fixed an issue where the firewall dataplane restarted, disrupting traffic, because the all_pktproc process stopped responding when the firewall decoded HTTP message bodies with chunked transfer encoding or gzip-compressed data.
Fixed an issue where the firewall silently dropped the first packet of a session when that packet was received as a fragmented packet (typically with UDP traffic).
Fixed an issue where the Panorama management server failed to export Traffic logs as a CSV file (MonitorLogsTraffic) after you set the Max Rows in CSV Export to more than 500,000 rows (PanoramaSetupManagementLogging and Reporting SettingsLog Export and Reporting).
Fixed an issue on VM-Series firewalls for KVM where applications that relied on multicasting failed because the firewalls filtered multicast traffic by the physical function (PF) after you configured them to use single root I/O virtualization (SR-IOV) virtual function (VF) devices.
Fixed an issue where firewall CPU usage reached 100 per cent due to SNMP polling for logical interfaces based on updates to the Link Layer Discovery Protocol (LLDP) MIB (LLDP-V2-MIB.my).
Fixed an issue where automatic threat packet captures on the firewall displayed a
File not founderror when attempting to retrieve these captures from a threat log entry.
A security-related fix was made to prevent a Cross-Site Scripting (XSS) vulnerability in a PAN-OS web interface administration page (CVE-2018-9337).
Fixed an issue where disk utilization increased unnecessarily because the firewall did not archive and rotate the /var/on file, which therefore grew to over 40MB.
Fixed an issue where the firewall assigned the wrong URL filtering category to traffic that contained a malformed host header. With this fix, the firewall enables the blocking of any traffic with a malformed URL.
Fixed an issue on the Panorama management server where administrators with read-only privileges could not view deployment Schedules for content updates (PanoramaDevice DeploymentDynamic Updates).
Fixed an issue where the root partition became full. With this fix, the /tmp/tplsp_to_validate.xml file and the /tmp/panorama_pushed folder are moved to the /opt/pancfg/mgmt/tmp folder.
Fixed an issue on the Panorama management server where administrators couldn't log in to the web interface because disk space utilization reached 100 per cent due to the continuous growth of cmserror log files.
Fixed an issue where PA-5200 Series firewalls in an active/passive high availability (HA) configuration dropped Bidirectional Forwarding Detection (BFD) sessions when the passive firewall was in an initialization state after you rebooted it.
Fixed an issue where the firewall was intermittently sending incorrect bytes-per-packet values for some flows to the NetFlow collector.
Fixed an issue where firewalls in an active/passive high availability (HA) configuration took longer than expected to fail over after you configured them to redistribute routes between an Interior Gateway Protocol (IGP) and Border Gateway Protocol (BGP).
Fixed an issue where the firewall intermittently did not apply antivirus exceptions after you added more than one in an Antivirus profile (ObjectsSecurity ProfilesAntivirus<Antivirus_profile>Virus Exception).
Fixed an issue where a certificate was loaded without a digital signature, which caused the configuration daemon (configd) to stop responding.
Fixed an issue where the firewall failed to generate tech support logs because there was not enough disk space available.
Fixed an issue where the firewall dropped IPv6 traffic while enforcing IPv6 bidirectional NAT policy rules because the firewall incorrectly translated the destination address for a host that resided on a directly attached network.
Fixed an issue where end user accounts were locked out after you configured authentication based on a RADIUS server profile with multiple servers (DeviceServer ProfilesRADIUS) and enabled the gateway to Retrieve Framed-IP-Address attribute from authentication server (NetworkGlobalProtectGateways<gateway>AgentClient Settings<clients_configuration>IP Pools). With this fix, instead of requesting framed IP addresses from all the servers in a RADIUS server profile at the same time, the firewall sends the request to only one server at a time until one of the servers responds.
Fixed an issue where the firewall did not perform a validation check when you set the Subnet Mask while configuring the firewall as a DHCP server (NetworkDHCP<interface>Options).
Fixed an issue on PA-5000 Series firewalls where multicast traffic failed because PAN-OS did not remove stale sessions from the hardware session offload processor.
A security-related fix was made to prevent a Cross-Site Scripting (XSS) attack through the URL Continue page (CVE-2018-7636).
Fixed an issue where the firewall unnecessarily sent an Authorize-only request to the RADIUS server which was denied during the login process if you disabled the Retrieve Framed-IP-Address attribute from authentication server (NetworkGlobalProtectGateways<gateway>AgentClient Settings<clients_configuration>IP Pools) in the GlobalProtect gateway configuration.
Fixed an issue where the firewall discarded any unsaved changes you made to the exceptions in a Vulnerability Protection profile after you enabled or disabled (cleared) the Show all signatures option (ObjectsSecurity ProfilesVulnerability Protect<Vulnerability_Protection_profile>Exceptions).
Fixed an issue where PA-7000 Series, PA-5200 Series, PA-5000 Series, PA-3200 Series, and PA-3000 Series firewalls dropped packets because their dataplanes restarted due to QoS queue corruption.
Fixed a configuration parsing issue where a default setup of the Authentication Profile caused the firewall to reboot during commit. If the administrator configured the Authentication Profile with any allowed values, including the default values, the configuration committed successfully. The issue was observed on a PA-500 firewall in FIPS-CC mode.
Fixed an issue where the Panorama management server ran out of disk space because PAN-OS did not automatically purge configuration export files from the tmp folder after exporting them.
Fixed an issue where content update failures (associated with the
Content update job failed for user Auto update agenterror message) had only a high severity level in System logs. With this fix, content update failures have a critical severity level for better visibility.
Fixed an issue where SNMP managers could not retrieve firewall power supply information associated with the entPhysicalEntry (188.8.131.52.184.108.40.206.1.1) and entPhysicalDescr (220.127.116.11.18.104.22.168.1.1.1) SNMP objects.
Fixed an issue where the firewall was sending incorrect bytes-per-packet values to the NetFlow collector when two servers were configured in the same NetFlow profile.
Fixed a rare issue on PA-7000 Series firewalls where 20GQ NPC QSFP+ ports didn't link up (during online insertion and removal (OIR), link-state change, or boot up events) and became unrecoverable until the NPC was restarted.
Fixed an issue where the firewall applied case sensitivity to the names of shared user groups that were defined in its local database and, as a result, users who belonged to those groups couldn't access applications through GlobalProtect Clientless VPN even after successful authentication. With this fix, the firewall ignores character case when evaluating the names of user groups in its local database.
Fixed an issue in an HA active/active configuration where traffic in a GlobalProtect VPN tunnel in SSL mode failed after Layer 7 processing when asymmetric routing was involved.
Fixed an issue where, after end users resumed their sessions, GlobalProtect connections failed with a client certificate error because the certificate host ID field was not cached in the session cache.
Fixed an issue where the firewall web interface did not display the task manager when indices were corrupted and did not purge the old jobs as expected.
Fixed an issue where the firewall failed to parse the merged configuration file after you changed the master key; it parsed only the running configuration file. With this fix, the firewall parses both files as expected after you change the master key.
Fixed an issue where no results were returned for a Global Find request when using the short name domain\group format.
Fixed an issue where Panorama was unable to pull any groups from a specific domain when the query for users included a domain name that ended with a backslash ( "\" ) character.
Fixed an issue where all WildFire jobs on the firewall were stuck at zero percent progress, which prevented the firewall from installing the latest WildFire updates.