PAN-OS 8.0.12 Addressed Issues

PAN-OS® 8.0.12 addressed issues
Issue ID
Description
PAN-100870
Fixed an issue where the GlobalProtect™ app incorrectly displays a warning (Password Warning:Password expires in 0 days) even though the password has not, yet, expired.
PAN-99968
Fixed an issue where the firewall incorrectly dropped GTPv2-C Modify Bearer Response packets due to a sequence-number mismatch.
PAN-99897
Fixed an issue where a configuration change commit was accepted when only one virtual wire (vwire) interface was defined in a vwire pair. With this fix, a commit for a change where only one vwire interface is defined for a vwire pair is rejected and an error message is displayed.
PAN-99380
Fixed an issue where the dataplane stopped responding when a tunnel interface on the firewall received fragmented packets.
PAN-99263
Fixed an issue where NetFlow caused an invalid memory-access issue that caused the pan_task process to stop responding.
PAN-99212
Fixed an issue where the firewall incorrectly dropped ARP packets and increased the flow_arp_throttle counter.
PAN-99141
Fixed an issue in an HA active/active virtual wire configuration where a race condition caused the firewall to intermittently drop First SYN packets when they traversed the HA3 link.
PAN-99067
Fixed an issue where a firewall frequently flapped a BGP session when the firewall did not receive any response from the BFD peer or when BFD was configured only on the firewall.
PAN-99060
Fixed an issue where searching through pcaps from a Log Collector in a configuration with multiple Log Collectors took longer than expected.
PAN-98949
Fixed an issue on Panorama™ where generating a threat pcap from the web interface (Monitor tab) took longer than expected and caused the web interface and CLI to become inaccessible.
PAN-98479
Fixed an issue where Panorama displayed a File not found error when you attempted to view or download Threat packet captures (pcaps) from the Monitor tab.
PAN-98470
Fixed an issue on a firewall with GTP stateful inspection enabled where the firewall incorrectly identified GTP echo packets as GTP-U application packets.
PAN-98097
Fixed an issue on PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls where Captive Portal was inaccessible for traffic on Secure HTTP (https) websites when SSL decryption was enabled and users were behind a proxy server.
PAN-97905
Fixed an issue where device-group operations were discarded when a concurrent commit was triggered by a different administrator.
PAN-97208
Fixed an issue where a firewall in a high availability (HA) active/active virtual wire (vwire) configuration with SSL decryption enabled passed traffic through the wrong firewall.
PAN-96997
Fixed an intermittent issue where detecting an unreachable WF-500 node took longer than expected.
PAN-96889
Fixed an issue where administrators were required to perform a commit force before pushing a partial or regular commit operation to managed appliances when the management server (mgmtsrvr) or configuration (configd) process encountered a virtual memory leak and restarted.
PAN-96737
Fixed an issue with an incorrect policy match because Google-docs-base was incorrectly identified as SSL.
PAN-96572
Fixed an issue where, after end users successfully authenticated for access to a service or application, their web browsers briefly displayed a page indicating authentication completed and then they were redirected to an unknown URL that the user did not specify.
PAN-96565
Fixed an issue where the DNS proxy process failed due to a DNS response packet containing a TXT resource record with length = 0.
PAN-96431
A security-related fix was made to prevent HTTP Header Injection in the Captive Portal.
PAN-96388
Fixed an issue in a non-vsys configuration where a firewall dropped the Client Hello packet from tunneled traffic when inbound decryption was enabled because the firewall considered that packet to be an inter-vsys inbound packet.
PAN-96231
Fixed an issue where a commit took significantly longer than expected when cloning a rule compared to when configuring a new rule when the configuration contained a large number of rules.
PAN-96113
Fixed an issue where the show routing protocol bgp rib-out CLI command did not display advertised routes that the firewall sent to the BGP peer. This issue was observed only in a deployment where a firewall is connected to a Border Gateway Protocol (BGP) peer that advertised a route for which the next hop is not in the same subnetwork as the BGP peer interface.
PAN-95999
Fixed an issue where firewalls in an HA active/active configuration with a default session setup and owner configuration dropped packets in a GlobalProtect VPN tunnel that used a floating IP address.
PAN-95766
Fixed an issue where Q-in-Q-tagged packets passed through a firewall without inspection or session creation.
PAN-95730
Fixed an issue where a firewall dropped SIP-RTP packets flowing through a GRE tunnel when a Tunnel Inspection Policy was configured with Security Options (Tunnel Inspection zones).
PAN-95712
Fixed an issue where browsers failed to load custom response pages on decrypted websites when those pages were larger than 8,191 bytes. With this fix, the firewall supports decryption of custom response pages up to 17,999 bytes.
PAN-95698
Fixed an issue where the firewall revealed part of a password in cleartext on the command-line interface (CLI) and management server (mgmtsrvr) log when an administrator attempted to set a password that exceeded the maximum number of characters (31) using the CLI. With this fix, the firewall reports an error when an administrator attempts to set a password that contains more than 31 characters without revealing any part of the actual password.
PAN-95439
Fixed an issue where using the test nat-policy-match command from the XML API does not result in any matches when the matching policy is a destination NAT policy.
PAN-95339
Fixed an issue where a firewall sent packets out of order when the sending rate was too high.
PAN-95090
Fixed an issue where imported custom applications did not display in Security Policies that were created through the web interface.
PAN-95061
Fixed an issue on PA-220 firewalls where either a commit or an EDLRefresh job failed with the following error message: failed to handle CONFIG_UPDATE_START. This issue occurred after an increase in the number of type URL entries in an external dynamic list.
PAN-94917
Fixed an issue on Panorama Log Collectors where the show system masterkey-properties CLI command did not display the master key lifetime and reminder settings.
PAN-94582
Fixed an issue where the firewall did not correctly re-learn a User-ID™ mapping after that mapping was temporarily lost and recovered through successful WMI probing.
PAN-94571
Fixed an issue on PA-800 Series, PA-3200 Series, and PA-5200 Series firewalls where tunnel-bound traffic was incorrectly routed through an ECMP route instead of a PBF route as expected.
PAN-94497
Fixed an issue where the default static route was not present in the routing table after you removed the DHCP-provided default gateway when you configured a default static route and DHCP provided the same default route.
PAN-94385
Fixed an issue on Log Collectors where the show log-collector serial-number <LC_serial_number> CLI command displayed log ages that exceeded log expiration periods.
PAN-94288
Fixed an issue where the default view and maximized view of the Application Usage report (ACCNetwork Activity) didn't display matching values when you set the Time to Last 12 Hrs or a longer period.
PAN-94221
Fixed an issue when QoS was configured where the dataplane restarted due to a packet process failure.
PAN-94163
Fixed an issue on firewalls deployed in virtual wire mode where SSL decryption failed due to a memory pool allocation failure.
PAN-94058
(GlobalProtect configurations on PAN-OS 8.0.8 and later releases only) Fixed an issue where a configured Layer 3 interface erroneously opened ports 28869/tcp and 28870/tcp on the IP address assigned to that Layer 3 interface.
PAN-93973
Fixed an issue on an M-100 appliance where logging stopped when a process (vldmgr) stopped responding.
PAN-93937
Fixed an issue where the management server (mgmtsrvr) process on the firewall restarted when you pushed configurations from the Panorama management server.
PAN-93847
Fixed an issue where a null-pointer exception caused the device server (“devsrv”) process on the management plane to restart.
PAN-93331
Fixed an issue where the firewall applied the wrong checksum when a re-transmitted packet in a NAT session had different TCP flags, which caused the recipient to drop those packets.
PAN-93329
Fixed an issue where the non-session-owner firewall in a high availability (HA) active/active configuration with asymmetric traffic flow dropped TCP traffic when TCP reassembly failed.
PAN-93127
Fixed an intermittent issue where NAT traffic was dropped when NAT parameters were introduced or changed in the path between the LSVPN GlobalProtect gateway and the GlobalProtect satellite. To leverage this fix in your network, you must also enable Tunnel Monitoring on the GlobalProtect Gateway (“Network > GlobalProtect > Gateways > <”gp-gateway”> > Satellite > Tunnel Settings”).
PAN-92893
Fixed an issue that occurred during the reboot process and caused some firewalls to go in to maintenance mode.
PAN-92788
Fixed an issue where the PAN-OS XML API returned the same job IDs for all report jobs on the firewall. With this fix, the PAN-OS XML API returns the correct job ID for each report job.
PAN-92569
Fixed an issue where the firewall displayed a continue-and-override response page when users tried to access a URL that the firewall incorrectly categorized as unknown because it learned the URL field as an IP address.
PAN-92445
Fixed an issue where the Panorama management server didn't display log data in MonitorLogs, the ACC tab, or reports when Panorama was in a different timezone than the Dedicated Log Collectors because Panorama applied the wrong time filter.
PAN-92033
Fixed an issue during the software download process that prevented some firewalls and appliances from properly receiving these images.
PAN-91926
Fixed an issue where GlobalProtect users could not access some websites decrypted by the firewall due to an issue with premature deletion of proxy sessions.
PAN-91361
Fixed an issue where client connections initiated with HTTP/2 failed during SSL Inbound Inspection decryption because the firewall removed the Application-Layer Protocol Negotiation (ALPN) extension within the server hello packet instead of forwarding the extension to the client.
PAN-91238
Fixed an issue where an Aggregate Ethernet (AE) interface with Link Aggregation Control Protocol (LACP) enabled on the firewall went down after a cisco-nexus primary virtual port channel (vPC) switch LACP peer rebooted and came back up.
PAN-90917
Fixed an issue where IP addresses for predefined External Dynamic Lists were not displayed on the web interface.
PAN-90824
An enhancement was made to improve compatibility for the HTTP log forwarding feature so that you can specify the TLS version that the HTTP log forwarding feature uses to connect to the HTTP server. To specify the version, use the debug system https-settings tls-version CLI command. (To view the currently specified version, use the debug system https-settings command.)
PAN-90448
Fixed an issue where PA-7000 Series and PA-5200 Series firewalls didn't properly Rematch all sessions on config policy change for offloaded sessions (DeviceSetupSession).
PAN-90048
Fixed an issue where automatic commits failed after you configured Security policy rules that referenced region objects for the source or destination and then upgraded the PAN-OS software.
PAN-88829
Fixed an issue where the firewall was unable to verify a signature and marked the response as unavailable when the OCSP responder signed the response and sent it to the OCSP client but did not include the certificate.
PAN-87855
Fixed an issue where some ICMP Type 4 traffic was not blocked as expected after you created a deny Security policy rule with custom App-ID for ICMP Type 4 traffic.
PAN-87079
(PA-3060, PA-3050, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls only) Fixed an issue where Threat logs displayed an Other IP Flood message instead of identifying the threat name of the correct protocol (such as TCPFlood) when traffic reached the configured SYN flood max-rate threshold (ObjectsSecurity ProfilesDoS Protection<DoS_Protection_profile>Flood ProtectionSYN Flood).
PAN-86672
Fixed a rare issue where a commit caused the disk to become full due to an incorrect disk quota-size value, which caused the firewall to behave unpredictably (for example, the web interface and CLI became unresponsive).
PAN-84836
A security-related fix was made to address a Cross-Site Scripting (XSS) vulnerability in the PAN-OS response to a GlobalProtect gateway (CVE-2018-10139).
PAN-84647
Fixed an issue with scheduled log exports that prevented firewalls running in FIPS-CC mode from successfully exporting the logs using Secure Copy (SCP).
PAN-83946
Fixed an issue where the default QoS profile limited the available bandwidth to 10Gbps when you specifically applied the profile to the ae2 interface; this issue occurred regardless of the bandwidth setting you configured specifically for that profile.
PAN-83900
Fixed an issue where the Panorama management server did not run ACC reports or custom reports because the reportd process stopped responding when an administrator tried to access a device group to which that administrator did not have access.
PAN-83628
Fixed an issue where an error was displayed when filtering the threat log because the buffer was cleared before prepending the query strings to it.
PAN-83469
Fixed an issue where firewalls were unable to connect to a log collector after you modified the Log Forwarding Preferences (PanoramaCollector Groups<group>Device Log Forwarding).
PAN-83030
Fixed an issue where an SSL session was reset after displaying the SSL decryption opt-out page regardless whether the user chose Yes or No.
PAN-81320
Fixed an issue where administrators could perform a commit lock through the API but could not remove the lock using the same API account credentials on the web interface.
PAN-80794
A protocol-related fix was made to address a bug in the OSPF protocol.
PAN-80665
Fixed an issue in a bi-directional User-ID redistribution configuration where the User-ID (useridd) process stopped responding when same IP address was continually associated with different usernames, which caused the IP address-to-username mapping to continually sync between firewalls.
PAN-76441
Fixed an issue where expiration of the Captive Portal browser-session cookie was incorrectly set on the browser to 24 hours by default. With this fix, the Captive Portal browser-session cookie expires when the browser session is terminated.
PAN-42036
Fixed a rare intermittent issue on PA-800 Series, PA-2000 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls where the firewall unexpectedly rebooted due to memory page allocation failure, which generated a non-maskable interrupt (NMI) watchdog error on the serial console.

Related Documentation