PAN-OS 8.0.14 Addressed Issues

PAN-OS® 8.0.14 addressed issues
Issue ID
Description
WF500-4811
Fixed an issue where WF-500 appliances displayed the wrong WildFire® content version (show system info) after a WildFire content update.
WF500-4645
Fixed an issue where RAID rebuilding after disk replacement either failed or took longer than expected.
PAN-106936
Fixed an issue where PA-800 Series firewalls intermittently restarted due to a kernel error.
PAN-106016
Fixed an issue on PA-800 Series firewalls where a kernel memory spike caused the firewall to restart.
PAN-105921
Fixed an issue with Panorama™ where administrators were unable to use the web interface to acquire a commit or config lock for device groups.
PAN-105724
Fixed an issue where the firewall did not generate a new random value in the TLS Server Hello message, which broke TLSv1.3 connections when SSL Forward Proxy decryption was enabled.
PAN-104524
Fixed an issue where the firewall logged data in the packet-diag log for IP addresses that you did not specify in the packet-capture filters when you enabled the tunnel:flow log feature.
PAN-104406
Fixed an intermittent issue where the replace device CLI command caused the configuration lock to stop responding.
PAN-104073
Fixed an issue where the replace device old <serial-number> new <serial-number> command caused the configuration (configd) daemon to stop responding.
PAN-103383
Fixed an issue where a firewall blocked SMTP traffic when processing ZIP files due to too many packet-process loops.
PAN-102943
Fixed an Issue where a process (mgmtsrvr) failed on EDL refresh when configured over a Secured Socket Layer (SSL) connection.
PAN-102743
(PA-5250, PA-5260, PA-5000 Series, and PA-7000 Series firewalls only) Fixed an intermittent issue where GlobalProtect™ SSL sessions that were enforcing client certificate authentication failed to resume and caused an authentication failure.
PAN-102337
Fixed an issue on Panorama virtual appliances in a high availability (HA) configuration where the elastic search script failed to identify the master node due to case sensitivity in the serial number that caused log-replication failures when you enabled log redundancy.
PAN-101704
(PAN-OS 8.0.8 and later releases only) Fixed an issue where a configured Layer 3 interface erroneously opened ports 28869/tcp and 28870/tcp on the IP address assigned to that Layer 3 interface.
PAN-101585
(The following PA-7000 Series NPCs only: PA-7000-20G-NPC, PA-7000-20GQ-NPC, PA-7000-20GXM-NPC, and PA-7000-20GQXM-NPC) Fixed an issue where an egress buffer overflow that impacted internal packet path monitoring caused a high availability (HA) failover. Additionally, enhancements were made to flow control communication between the traffic manager and flow engine components to improve system stability during periods of heavy traffic.
PAN-101378
Fixed an issue with firewalls in an HA active/passive configuration where the firewall processed traffic in a suspended state.
PAN-101371
Fixed an issue where an M-500 appliance still pushed the previously configured values even after you cleared the values in the Management Interface Settings (DeviceSetupInterfacesManagement) and configured new ones.
PAN-100244
Fixed an issue where a failed commit or commit validation followed by a non-user-committed event (such as an FQDN refresh, an external dynamic list refresh, or an antivirus update) resulted in an unexpected change to the configuration that caused the firewall to drop traffic.
PAN-100228
Fixed an intermittent issue on a PA-7000 Series firewall where auto-commits prematurely executed before all Network Processing Cards (NPCs) were detected and ready.
PAN-100144
Fixed an issue on PA-7000 Series firewalls in a high availability (HA) active/active configuration where after a HA failover event the IP address rule list continuously duplicated entries and resulted in slow response times from the firewall and, eventually, caused the Network Processing Cards (NPCs) to restart.
PAN-99965
Fixed an issue where SNMP Object identifier queries for hrStorageAllocationUnits returned negative values.
PAN-99861
Fixed an issue where SaaS application usage reports were empty when you used special characters in naming zones.
PAN-99860
Fixed an issue on a PA-7000 Series firewall where the Network Processing Card (NPC) rebooted due to a memory allocation issue.
PAN-99643
Fixed an issue where a change in user-mapping information prevented the host information profile (HIP) from updating.
PAN-99582
Fixed an issue where a firewall in an HA active/passive configuration did not send the Bidirectional Forwarding Detection (BFD) administrator down status after a manual failover.
PAN-99211
Fixed an issue in an HA active/passive configuration where the hardware offload feature attempted to reinstall IPSec sessions for individual packets, which caused additional dataplane CPU loads on both the active and passive firewalls.
PAN-99204
Fixed an issue on Panorama M-Series and virtual appliances where a qualifier configured for a custom application signature displayed the following error message: Unauthorized request.
PAN-99161
Fixed an issue where a Captive Portal configured with RADIUS authentication failed when a username contained the "at" (@) character.
PAN-99110
Fixed an issue where a library (libpam_pan.so) did not handle incorrect passwords as expected.
PAN-99095
Fixed an issue in Panorama where a commit failed message appeared in the Template Last Commit column in the device management summary after a Panorama reboot or upgrade.
PAN-98933
Fixed an issue on an M-100 appliance in an HA active/passive configuration where the schedules (DeviceDynamic Updates) were unresponsive after a failover or restart of the active firewall.
PAN-98683
Fixed an issue where Path Monitoring for IPv6 ping packets was dropping packets.
PAN-98504
A security-related fix was made to address three OpenSSL vulnerabilities: CVE-2018-0732, CVE-2018-0737, and CVE-2018-0739.
PAN-98475
Fixed an issue on a firewall configured with RADIUS where the default timeout setting failed after an administrator entered credentials through the web interface.
PAN-98332
Fixed an issue where the firewall incorrectly forwarded packets to upstream devices when it had no ARP entry for the destination IP address, which resulted in traffic outages caused by source MAC addresses that did not get updated as expected.
PAN-98263
Fixed an issue on a PA-5000 Series firewall where SNMP values for received and transmitted bytes for Aggregate Ethernet (AE) subinterfaces returned incorrect values.
PAN-98195
Fixed an issue on a PA-220 firewall in an HA active/passive configuration and with jumbo frames enabled (DeviceSetupSession) where configuration and dynamic updates failed to synchronize.
PAN-98116
Fixed an issue where PA-3000 Series firewalls passed file descriptors in a dataplane process (pan_comm) during content (apps and threats) installation and FQDNRefresh job execution, which caused the hardware Layer 7 engine to identify applications incorrectly.
PAN-98110
(PAN-OS® 8.0.8 and later releases) Fixed an issue where administrator setting did not change when appropriate after you imported a configuration.
PAN-97928
Fixed an issue where you could not set the Captive Portal session timeout (DeviceSetupSession) to 60 seconds or longer without causing a browser redirect.
PAN-97698
Fixed an issue where the firewall took longer than expected to update a URL category.
PAN-97199
A security-related fix was made to the way the Linux kernel handles exceptions associated with MOV to SS and POP to SS instructions (CVE-2018-8897).
PAN-96696
A security-related fix was made to prevent modification of attributes in a SAML Response packet.
PAN-96522
Fixed an intermittent issue where the firewall did not rotate error logs correctly, which caused disk space issues.
PAN-96462
Fixed an intermittent issue where a null pointer exception caused the configuration (configd) process to stop responding.
PAN-96440
Fixed an issue where the static route was not reinstalled if you modified the path-monitoring hold time while the timer was active.
PAN-96283
Fixed an issue where administrators with predefined roles and permission to save configuration changes were not able to save their changes.
PAN-96200
Fixed an issue where PA-220 firewalls that were bootstrapped with a configuration that enabled jumbo frames did not change the packet buffer size as expected, which resulted in a dataplane restart.
PAN-96109
Fixed an issue where a Panorama appliance returned the following error: mgmtsrvr: User restart reason - Virtual memory limit exceeded (8204808 > 8192000).
PAN-95935
Fixed an intermittent issue on a PA-7000 Series firewall where the GlobalProtect LSVPN tunnel monitoring failed during re-key, which caused satellites to disconnect.
PAN-95819
Fixed an issue where a firewall did not apply the configured NAT policy during a predicted RTSP session.
PAN-95566
Fixed an intermittent issue where a process (mdb) stopped responding after a file cleanup failure.
PAN-95131
Fixed an issue where administrators with Device Group and Template access were not able to modify the QoS interface (NetworkQoS).
PAN-94777
Fixed an issue where a 500 Internal Server error occurred for traffic that matched a Security policy rule with a URL Filtering profile that specified a continue action (ObjectsSecurity ProfilesURL Filtering) because the firewall did not treat the API keys as binary strings.
PAN-94532
Fixed an issue where a memory leak caused an out-of-memory (OOM) error.
PAN-94413
Fixed an issue on Panorama M-Series and virtual appliances where the hash of the shared policy was incorrectly calculated, which caused an in-sync shared policy status to display as out-of-sync.
PAN-93457
Fixed an issue where continuous renewal for a session that went into DISCARD state when the firewall reached its resource limit prevented the creation of new sessions that matched that DISCARD session.
PAN-93456
Fixed an intermittent issue where VPN tunnels terminated due to IKE manager failures.
PAN-93005
Fixed an issue where the firewall generated System logs with high severity for Dataplane under severe load conditions that did not affect traffic. With this fix, the System logs have low severity for Dataplane under severe load conditions that do not affect traffic.
PAN-92740
Fixed an issue in an NSX environment where the Panorama management server displayed an incorrect number of tags under Dynamic Address Groups when you configured a static tag in one or more address groups.
PAN-92548
Fixed an intermittent issue where a race condition caused the Logging Service or WF-500 appliances to disconnect from or become unresponsive to firewalls or the Panorama management server.
PAN-92380
Fixed an issue where, when you tried to export a custom report and your Chrome or Firefox browser was configured to block popup windows, the firewall instead downloaded a Tech Support File to your client system.
PAN-92256
Fixed an issue where the firewall didn't Block sessions with unsupported cipher suites based on Decryption policy rules for SSL Inbound Inspection when the rules referenced a Decryption Profile with a list of allowed ciphers that didn't match the ciphers that the destination server specified (ObjectsDecryptionDecryption Profile). With this fix, the firewall checks the ciphers of both the source client and destination server against the cipher list in Decryption profiles when evaluating whether to allow sessions based on Decryption policy.
PAN-91259
Fixed an issue where the predict session for the RMI-IIOP application was not created correctly, which caused server-to-client initiated sessions to traverse slow-path inspection and, eventually, policy rules denied the traffic associated with these sessions.
PAN-90164
Fixed an issue on PA-3000 Series firewalls where commits took longer than expected or failed because the pan_comm process stopped responding.
PAN-89794
Fixed an issue on PA-3050, PA-3060, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls in an HA configuration where multicast sessions intermittently stopped forwarding traffic after HA failover on firewalls with hardware offloading enabled (default).
PAN-87152
Fixed an issue where the show running ippool command stopped responding due to a conflict with packet processing and caused the Aggregate Ethernet (AE) interface to fail.
PAN-86769
Fixed an issue where a firewall did not forward logs when using the category eq command-and-control filter.
PAN-86426
A security-related fix was made to SAML authentication.
PAN-85410
Fixed two issues on a firewall configured for GlobalProtect Clientless VPN:
  • The firewall dataplane restarted when client cookies contained a path that did not start with a forward slash (/).
  • The firewall did not properly reinitialize client cookies that had a missing path and domain and instead used values from previously received cookies.
PAN-80078
Fixed an intermittent issue where operational commands executed by continuous API calls caused the firewall to stop responding with the following error message: op command for client timed out as client is not available.
PAN-79291
Fixed an intermittent issue with ZIP hardware offloading where firewalls identified ZIP files as threats when they were sent over Simple Mail Transfer Protocol (SMTP).
PAN-71911
Fixed an issue where the pan_task process resulted in a closed socket state caused by DPDK queries that were not flushed as expected.

Related Documentation