Fixed an issue on WF-500 passive cluster members where file forwarding was incorrectly disabled, which prevented the passive firewall from uploading samples.

Fixed an issue during a PAN-OS® upgrade where a hardware packet buffer leak caused firewall performance to degrade.

A security-related fix was made to address the FragmentSmack vulnerability (CVE-2018-5391 / PAN-SA-2018-0012).

Fixed an issue on a PA-5000 Series firewall where the dataplane restarts when multicast traffic matched a stale session on the offload processor that was not cleared as expected.

Fixed an issue where a process (

rasmgr

) restarted when a

satellite tunnel tear down

command and a

get user config

command occurred simultaneously.

Fixed an issue where a process (

rasmgr

) restarted multiple times, which caused the firewall to reboot.

Fixed an issue where a PA-5200 Series firewall processed the tunnel-monitoring with profile-failover as having the tunnel status up and peers as down during initial configuration.

Fixed an issue where Extended Authentication (X-Auth) clients intermittently failed to establish an IPSec tunnel to GlobalProtect gateways.

Fixed an issue where a system failure occurred due to packet size exceeding the hardware limit.

Fixed an issue with PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls where the firewall fails to clear cache for refreshing the FQDN list, which periodically results in an out of memory condition that forces the firewall to reboot.

Fixed an issue where SNMP fan trays did not initialize as expected and prevented the SNMP manager from receiving fan tray information.

Fixed an issue on VM-Series firewalls where the dataplane stops processing traffic when attempting to transmit packets larger than the firewall maximum transmission unit (MTU).

(

PA-200, PA-220, PA-220R, PA-500, and PA-800 Series firewall only

) Fixed an issue where a large number of group mappings caused the firewall to display out-of-memory (OOM) errors and restart.

Fixed an issue on an M-100 appliance where a bulk set of commands timed out causing configuration locks and, while running any subsequent show commands, responded with the following message:

Server error: Timed out while getting configlock. Please try again.

Fixed an issue where the second virtual system (vsys) dropped TCP traffic that was out-of-order when that second vsys controlled the proxy session in a multi-vsys configuration.

Fixed an issue where the firewall did not return Captive Portal response pages as expected due to depletion of file descriptors.

Fixed an issue where RADIUS VSA administrators were able to login for one hour after their VSA administrator role was removed on the RADIUS server.

Fixed an issue where the SAP Success Factor app failed to load because the Cipher-cloud was configuring cookies with the “at” ( @ ) character in the cookie name but Palo Alto Networks firewalls used the @ character as a separator for storing cookies locally, which caused the firewall to misinterpret the cookies.

Fixed an intermittent issue where

Captive PortalMFA

failed and discarded new MFA requests.

Fixed an issue on the Panorama™ centralized management server where the logs related to the clear-log system were not forwarded to the Syslog server.

Fixed an issue where user-account group members in subgroups (

n

+1) were unnecessarily queried when nested level was set to

n

.

Fixed an issue where firewall overrides configuration to not validate first ASN, resulting in multi-lateral BGP connection flaps peering over an internet exchange.

Fixed an issue where an administrator with the CLI Device Read privilege was able to discard a session that was revoked.

Fixed an issue where values were missing in the URL field in the Data Filtering logs.

Fixed an issue on Panorama M-Series and virtual appliances where the configuration (

configd

) process stopped responding after you entered a filter string and tried to

Add Match Criteria

for any

Dynamic

address group type (

Objects

Address Groups

).

Fixed an issue where the Panorama web interface

Group Mapping Settings

took longer to load than expected when there were multiple device groups and each group reported to a different master device.

Fixed an issue where audio failed for long-lived session initiated protocol (SIP) sessions subjected to six content updates.

Fixed an issue on Panorama M-Series and virtual appliances where the report-generation process stopped responding due to a corrupt log record in the JSON query.

Fixed an issue on PA-850 firewalls where the session rematch option failed to execute when you added an IP address to the External Dynamic List (EDL) block list.

Fixed an issue where an unreachable DNS server due to aggressive timers increased the time of PPPoE negotiation and, in some cases, caused negotiation to fail.

Fixed an issue where the processing of ZIP files in the firewall dropped traffic unexpectedly and logged a threat entry for SMTP traffic.

Fixed an intermittent issue where session BIND messages were dropped in a Dynamic IP configuration.

Fixed an issue where a process (

configd

) stopped responding during a partial revert operation when reverting an interface configuration.

Fixed an issue on PA-800 Series firewalls where the web interface did not display or allow you to configure the bandwidth setting any higher than 1Gbps.

Fixed an issue where generation of extraneous data filtering logs for SMB protocol traffic occurred without data filtering or file blocking securities rules in place.

Fixed an issue where the Syslog server received an incorrect vsys/port log message when multiple vsys systems, with the same profile name and different port numbers, are connected to a single syslog server.

Fixed an issue where PA-5000 Series firewalls did not send an IGMP query immediately after an HA failover.

Fixed an issue on a PA-800 Series firewall where fragmented packets caused the firewall to restart.

Fixed an issue on a PA-500 firewall where the dataplane tunnel content pointer entered a NULL state and caused dataplane processes (

pan_comm

and

tund

) to stop responding, which caused the dataplane to restart.

Fixed an issue where the

mprelay

process stopped responding when you performed a commit while the firewall identified flows that needed a NetFlow update.

Fixed an issue with VM-Series firewalls on Azure where dynamic updates failed for the GlobalProtect™ Data File when you scheduled the updates using the management interface.

Fixed an issue where an API call resulted in an incorrect response.

Fixed an issue where a temporary flap on configured Aggregate Ethernet (AE) interfaces cleared the dataplane debug logs.

Fixed an issue on a PA-220 firewall where exporting the device state from the Panorama command-line interface (CLI) included the default bidirectional forwarding detection (BFD) configuration, which caused a commit to fail on the firewall when uploading the device state.

Fixed an issue where syslog messages that terminated with 0 prevented the firewall from identifying matching patterns in the message.

Fixed an issue where the published applications page for GlobalProtect Clientless VPN displayed a blank application icon instead of the custom

Application Icon

that you specified (

Network

GlobalProtect

Portals

Clientless VPN

Applications

<application>

<application>

).

Fixed an issue on the Panorama management server where the Task Manager displayed

Completed

status immediately after you initiated a push operation to firewalls (

Commit all

) even though the push operation was still in progress.

Fixed the following LDAP authentication issues:

Fixed an issue where a Panorama Collector Group forwarded Threat and WildFire® Submission logs to the wrong external server after you configured match list profiles with the same name for both log types (

Panorama

Collector Groups

<Collector_Group>

Collector Log Forwarding

{Threat | WildFire}

<match_list_profile>

).

Fixed an issue where, when an administrator made and committed partial changes, the disabled address objects used in a disabled security policy were pushed from Panorama and retained on the firewall but were deleted when an administrator performed a full commit from Panorama.

Fixed an issue where the GlobalProtect login, welcome, and help pages did not display custom logo images in any browsers other than Internet Explorer after you upgraded to PAN-OS 8.0.8 or a later release.

Fixed an issue where the firewall web interface did not display Host Information Profile (HIP) information in HIP Match logs for end users who had Microsoft-supported special characters in their domains or usernames.

Fixed an intermittent Panorama issue where, after upgrading to PAN-OS 8.0 or a later release and when connected to a WF-500 appliance, commit validations failed due to a mismatched threat ID range on the WildFire private cloud.

Fixed an issue on PA-5200 Series firewalls in an HA active/active configuration where session timeouts occurred when TCP timers did not update as expected for asymmetric flows.

Fixed an issue where administrators with virtual system-specific role privileges could use the PAN-OS XML API to commit changes to shared objects on the firewall. With this fix, only administrators with the superuser role can commit changes to shared objects.

Fixed an issue where the output of the

show neighborndp-monitorall

CLI command was missing a space between the Interface and IPv6 Address columns, which decreased readability.

Fixed an issue on the Panorama management server where filtering logs based on IPv6 sources didn't return the expected results (

Monitor

Logs

<log_type>

).

Fixed an issue where firewalls intermittently forwarded logs directly to the Panorama management server instead of to Log Collectors after you pushed a Collector Group preference list to the Log Collectors.

Fixed an issue on firewalls with SSL Inbound Inspection decryption enabled where the dataplane restarted because the firewall did not correctly handle TCP RST messages.

Fixed an issue on a PA-5000 Series firewall configured to use an IPSec tunnel containing multiple proxy IDs (

Network

IPSec Tunnels

<tunnel>

Proxy IDs

) where the firewall dropped tunneled traffic after clear text sessions were established on a different dataplane than the first dataplane (DP0).

Fixed an issue where the firewall dataplane intermittently restarted, causing traffic loss, after you attached a NetFlow server profile to an interface for which the firewall assigned an invalid identifier.

Fixed an issue on PA-5200 Series firewalls in an HA active/passive configuration where failover took a few seconds longer than expected when it was triggered after the passive firewall rebooted.

Fixed an issue where an XML API call to execute the

show system raid detail

CLI command returned an error.

Fixed an issue where a firewall configured as a DNS proxy server (

Network

DNS Proxy

) displayed the following error when performing a name server lookup for any domain on MAC endpoints:

Got recursion not available.

Fixed an issue on Panorama management servers in an HA configuration where the Log Collector that ran locally on the passive firewall did not forward logs to syslog servers.

Fixed an issue where the firewall inserted hard-coded double quotes (

"

) for the $opaque macro in payloads after you configured log forwarding to a JSON-type HTTP server.

Fixed an issue on an M-100 appliance where, when the interface and snapshot length (snaplen) options were enabled, the

tcpdump

command failed to execute with the following message:

Unsupported number of arguments.

Fixed an intermittent issue where the User-ID™ (

useridd

) process stopped responding and caused the firewall to restart.

Fixed an issue on an M-100 appliance where a restart of the correlation (

cord

) process caused the appliance to reboot.

Fixed an issue where the URL session information WildFire report displayed

Unknown

for sample files uploaded from firewalls running a PAN-OS 8.0 release.

Fixed an issue where the DHCP process restarted while you committed a configuration change to DHCP settings and, as a result, DHCP clients could not receive IP addresses from a firewall configured as a DHCP server (

Network

DHCP

).

Fixed an issue where, after you disabled the

Skip Auth on IKE Rekey

option in the GlobalProtect gateway, the firewall still applied the option: end users with endpoints that used Extended Authentication (X-Auth) did not have to re-authenticate when the key for establishing the IPSec tunnel expired (

Network

GlobalProtect

Gateways

<gateway>

Agent

Tunnel Settings

).

Fixed an issue where the M-100 appliance used the default value of 1,000 because the maximum number of user groups was not defined in the system configuration.

Fixed an issue on PA-7000 Series firewalls where the output from the REST/API version of the

<show>

<system>

<raid>

<detail>

command did not include all of the same output as the CLI version of this command.