PAN-OS 8.0.13 Addressed Issues

PAN-OS® 8.0.13 addressed issues
Issue ID
Description
WF500-4466
Fixed an issue on WF-500 passive cluster members where file forwarding was incorrectly disabled, which prevented the passive firewall from uploading samples.
PAN-104116
Fixed an issue during a PAN-OS® upgrade where a hardware packet buffer leak caused firewall performance to degrade.
PAN-103132
A security-related fix was made to address the FragmentSmack vulnerability (CVE-2018-5391 / PAN-SA-2018-0012).
PAN-102750
Fixed an issue on a PA-5000 Series firewall where the dataplane restarts when multicast traffic matched a stale session on the offload processor that was not cleared as expected.
PAN-102664
Fixed an issue where a process (rasmgr) restarted when a satellite tunnel tear down command and a get user config command occurred simultaneously.
PAN-102631
Fixed an issue where a process (rasmgr) restarted multiple times, which caused the firewall to reboot.
PAN-102168
Fixed an issue where a PA-5200 Series firewall processed the tunnel-monitoring with profile-failover as having the tunnel status up and peers as down during initial configuration.
PAN-102140
Fixed an issue where Extended Authentication (X-Auth) clients intermittently failed to establish an IPSec tunnel to GlobalProtect gateways.
PAN-101182
Fixed an issue where a system failure occurred due to packet size exceeding the hardware limit.
PAN-100985
Fixed an issue with PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls where the firewall fails to clear cache for refreshing the FQDN list, which periodically results in an out of memory condition that forces the firewall to reboot.
PAN-100794
Fixed an issue where SNMP fan trays did not initialize as expected and prevented the SNMP manager from receiving fan tray information.
PAN-100715
Fixed an issue on VM-Series firewalls where the dataplane stops processing traffic when attempting to transmit packets larger than the firewall maximum transmission unit (MTU).
PAN-100345
(PA-200, PA-220, PA-220R, PA-500, and PA-800 Series firewall only) Fixed an issue where a large number of group mappings caused the firewall to display out-of-memory (OOM) errors and restart.
PAN-99964
Fixed an issue on an M-100 appliance where a bulk set of commands timed out causing configuration locks and, while running any subsequent show commands, responded with the following message: Server error: Timed out while getting configlock. Please try again.
PAN-99780
Fixed an issue where the second virtual system (vsys) dropped TCP traffic that was out-of-order when that second vsys controlled the proxy session in a multi-vsys configuration.
PAN-99590
Fixed an issue where the firewall did not return Captive Portal response pages as expected due to depletion of file descriptors.
PAN-99392
Fixed an issue where RADIUS VSA administrators were able to login for one hour after their VSA administrator role was removed on the RADIUS server.
PAN-99316
Fixed an issue where the SAP Success Factor app failed to load because the Cipher-cloud was configuring cookies with the “at” ( @ ) character in the cookie name but Palo Alto Networks firewalls used the @ character as a separator for storing cookies locally, which caused the firewall to misinterpret the cookies.
PAN-98976
Fixed an intermittent issue where Captive PortalMFA failed and discarded new MFA requests.
PAN-98635
Fixed an issue on the Panorama™ centralized management server where the logs related to the clear-log system were not forwarded to the Syslog server.
PAN-98217
Fixed an issue where user-account group members in subgroups (n+1) were unnecessarily queried when nested level was set to n.
PAN-98189
Fixed an issue where firewall overrides configuration to not validate first ASN, resulting in multi-lateral BGP connection flaps peering over an internet exchange.
PAN-97881
Fixed an issue where an administrator with the CLI Device Read privilege was able to discard a session that was revoked.
PAN-97324
Fixed an issue where values were missing in the URL field in the Data Filtering logs.
PAN-97315
Fixed an issue on Panorama M-Series and virtual appliances where the configuration (configd) process stopped responding after you entered a filter string and tried to Add Match Criteria for any Dynamic address group type (ObjectsAddress Groups).
PAN-97296
Fixed an issue where the Panorama web interface Group Mapping Settings took longer to load than expected when there were multiple device groups and each group reported to a different master device.
PAN-97253
Fixed an issue where audio failed for long-lived session initiated protocol (SIP) sessions subjected to six content updates.
PAN-97077
Fixed an issue on Panorama M-Series and virtual appliances where the report-generation process stopped responding due to a corrupt log record in the JSON query.
PAN-97045
Fixed an issue on PA-850 firewalls where the session rematch option failed to execute when you added an IP address to the External Dynamic List (EDL) block list.
PAN-96918
Fixed an issue where an unreachable DNS server due to aggressive timers increased the time of PPPoE negotiation and, in some cases, caused negotiation to fail.
PAN-96860
Fixed an issue where the processing of ZIP files in the firewall dropped traffic unexpectedly and logged a threat entry for SMTP traffic.
PAN-96796
Fixed an intermittent issue where session BIND messages were dropped in a Dynamic IP configuration.
PAN-96734
Fixed an issue where a process (configd) stopped responding during a partial revert operation when reverting an interface configuration.
PAN-96678
Fixed an issue on PA-800 Series firewalls where the web interface did not display or allow you to configure the bandwidth setting any higher than 1Gbps.
PAN-96645
Fixed an issue where generation of extraneous data filtering logs for SMB protocol traffic occurred without data filtering or file blocking securities rules in place.
PAN-96579
Fixed an issue where the Syslog server received an incorrect vsys/port log message when multiple vsys systems, with the same profile name and different port numbers, are connected to a single syslog server.
PAN-96477
Fixed an issue where PA-5000 Series firewalls did not send an IGMP query immediately after an HA failover.
PAN-96130
Fixed an issue on a PA-800 Series firewall where fragmented packets caused the firewall to restart.
PAN-95970
Fixed an issue on a PA-500 firewall where the dataplane tunnel content pointer entered a NULL state and caused dataplane processes (pan_comm and tund) to stop responding, which caused the dataplane to restart.
PAN-95736
Fixed an issue where the mprelay process stopped responding when you performed a commit while the firewall identified flows that needed a NetFlow update.
PAN-95486
Fixed an issue with VM-Series firewalls on Azure where dynamic updates failed for the GlobalProtect™ Data File when you scheduled the updates using the management interface.
PAN-95407
Fixed an issue where an API call resulted in an incorrect response.
PAN-95331
Fixed an issue where a temporary flap on configured Aggregate Ethernet (AE) interfaces cleared the dataplane debug logs.
PAN-95265
Fixed an issue on a PA-220 firewall where exporting the device state from the Panorama command-line interface (CLI) included the default bidirectional forwarding detection (BFD) configuration, which caused a commit to fail on the firewall when uploading the device state.
PAN-95045
Fixed an issue where syslog messages that terminated with 0 prevented the firewall from identifying matching patterns in the message.
PAN-94654
Fixed an issue where the published applications page for GlobalProtect Clientless VPN displayed a blank application icon instead of the custom Application Icon that you specified (NetworkGlobalProtectPortalsClientless VPNApplications<application><application>).
PAN-94382
Fixed an issue on the Panorama management server where the Task Manager displayed Completed status immediately after you initiated a push operation to firewalls (Commit all) even though the push operation was still in progress.
PAN-94317
Fixed the following LDAP authentication issues:
  • Authentication failed for users who belonged to user groups for which you specified LDAP short names instead of long names in the Allow List of an authentication profile (DeviceAuthentication Profile).
  • When performing LDAP lookups based on entries in the Allow List of LDAP authentication profiles, the firewall treated unknown group names as usernames.
  • Authentication failed for users who belonged to multiple groups that you entered in the Allow List of different LDAP authentication profiles.
PAN-94278
Fixed an issue where a Panorama Collector Group forwarded Threat and WildFire® Submission logs to the wrong external server after you configured match list profiles with the same name for both log types (PanoramaCollector Groups<Collector_Group>Collector Log Forwarding{Threat | WildFire}<match_list_profile>).
PAN-94043
Fixed an issue where, when an administrator made and committed partial changes, the disabled address objects used in a disabled security policy were pushed from Panorama and retained on the firewall but were deleted when an administrator performed a full commit from Panorama.
PAN-93469
Fixed an issue where the GlobalProtect login, welcome, and help pages did not display custom logo images in any browsers other than Internet Explorer after you upgraded to PAN-OS 8.0.8 or a later release.
PAN-93430
Fixed an issue where the firewall web interface did not display Host Information Profile (HIP) information in HIP Match logs for end users who had Microsoft-supported special characters in their domains or usernames.
PAN-93152
Fixed an intermittent Panorama issue where, after upgrading to PAN-OS 8.0 or a later release and when connected to a WF-500 appliance, commit validations failed due to a mismatched threat ID range on the WildFire private cloud.
PAN-92955
Fixed an issue on PA-5200 Series firewalls in an HA active/active configuration where session timeouts occurred when TCP timers did not update as expected for asymmetric flows.
PAN-92782
Fixed an issue where administrators with virtual system-specific role privileges could use the PAN-OS XML API to commit changes to shared objects on the firewall. With this fix, only administrators with the superuser role can commit changes to shared objects.
PAN-92596
Fixed an issue where the output of the show neighborndp-monitorall CLI command was missing a space between the Interface and IPv6 Address columns, which decreased readability.
PAN-92553
Fixed an issue on the Panorama management server where filtering logs based on IPv6 sources didn't return the expected results (MonitorLogs<log_type>).
PAN-92489
Fixed an issue where firewalls intermittently forwarded logs directly to the Panorama management server instead of to Log Collectors after you pushed a Collector Group preference list to the Log Collectors.
PAN-90998
Fixed an issue on firewalls with SSL Inbound Inspection decryption enabled where the dataplane restarted because the firewall did not correctly handle TCP RST messages.
PAN-90347
Fixed an issue on a PA-5000 Series firewall configured to use an IPSec tunnel containing multiple proxy IDs (NetworkIPSec Tunnels<tunnel>Proxy IDs) where the firewall dropped tunneled traffic after clear text sessions were established on a different dataplane than the first dataplane (DP0).
PAN-89988
Fixed an issue where the firewall dataplane intermittently restarted, causing traffic loss, after you attached a NetFlow server profile to an interface for which the firewall assigned an invalid identifier.
PAN-89715
Fixed an issue on PA-5200 Series firewalls in an HA active/passive configuration where failover took a few seconds longer than expected when it was triggered after the passive firewall rebooted.
PAN-89346
Fixed an issue where an XML API call to execute the show system raid detail CLI command returned an error.
PAN-88440
Fixed an issue where a firewall configured as a DNS proxy server (NetworkDNS Proxy) displayed the following error when performing a name server lookup for any domain on MAC endpoints: Got recursion not available.
PAN-88292
Fixed an issue on Panorama management servers in an HA configuration where the Log Collector that ran locally on the passive firewall did not forward logs to syslog servers.
PAN-87969
Fixed an issue where the firewall inserted hard-coded double quotes ( " ) for the $opaque macro in payloads after you configured log forwarding to a JSON-type HTTP server.
PAN-87867
Fixed an issue on an M-100 appliance where, when the interface and snapshot length (snaplen) options were enabled, the tcpdump command failed to execute with the following message: Unsupported number of arguments.
PAN-87546
Fixed an intermittent issue where the User-ID™ (useridd) process stopped responding and caused the firewall to restart.
PAN-87132
Fixed an issue on an M-100 appliance where a restart of the correlation (cord) process caused the appliance to reboot.
PAN-86759
Fixed an issue where the URL session information WildFire report displayed Unknown for sample files uploaded from firewalls running a PAN-OS 8.0 release.
PAN-86583
Fixed an issue where the DHCP process restarted while you committed a configuration change to DHCP settings and, as a result, DHCP clients could not receive IP addresses from a firewall configured as a DHCP server (NetworkDHCP).
PAN-84199
Fixed an issue where, after you disabled the Skip Auth on IKE Rekey option in the GlobalProtect gateway, the firewall still applied the option: end users with endpoints that used Extended Authentication (X-Auth) did not have to re-authenticate when the key for establishing the IPSec tunnel expired (NetworkGlobalProtectGateways<gateway>AgentTunnel Settings).
PAN-81553
Fixed an issue where the M-100 appliance used the default value of 1,000 because the maximum number of user groups was not defined in the system configuration.
PAN-81074
Fixed an issue on PA-7000 Series firewalls where the output from the REST/API version of the <show><system><raid><detail> command did not include all of the same output as the CLI version of this command.
PAN-80505
Fixed an issue where a firewall was able connect to Panorama using an expired certificate.

Related Documentation