PAN-OS 8.0.14 Addressed Issues
PAN-OS® 8.0.14 addressed issues
Fixed an issue where WF-500 appliances displayed the wrong WildFire® content version (show system info) after a WildFire content update.
Fixed an issue where RAID rebuilding after disk replacement either failed or took longer than expected.
Fixed an issue where PA-800 Series firewalls intermittently restarted due to a kernel error.
Fixed an issue on PA-800 Series firewalls where a kernel memory spike caused the firewall to restart.
Fixed an issue with Panorama™ where administrators were unable to use the web interface to acquire a commit or config lock for device groups.
Fixed an issue where the firewall did not generate a new random value in the TLS Server Hello message, which broke TLSv1.3 connections when SSL Forward Proxy decryption was enabled.
Fixed an issue where the firewall logged data in the packet-diag log for IP addresses that you did not specify in the packet-capture filters when you enabled the tunnel:flow log feature.
Fixed an intermittent issue where the replace device CLI command caused the configuration lock to stop responding.
Fixed an issue where the replace device old <serial-number> new <serial-number> command caused the configuration (configd) daemon to stop responding.
Fixed an issue where a firewall blocked SMTP traffic when processing ZIP files due to too many packet-process loops.
Fixed an Issue where a process (mgmtsrvr) failed on EDL refresh when configured over a Secured Socket Layer (SSL) connection.
(PA-5250, PA-5260, PA-5000 Series, and PA-7000 Series firewalls only) Fixed an intermittent issue where GlobalProtect™ SSL sessions that were enforcing client certificate authentication failed to resume and caused an authentication failure.
Fixed an issue on Panorama virtual appliances in a high availability (HA) configuration where the elastic search script failed to identify the master node due to case sensitivity in the serial number that caused log-replication failures when you enabled log redundancy.
(PAN-OS 8.0.8 and later releases only) Fixed an issue where a configured Layer 3 interface erroneously opened ports 28869/tcp and 28870/tcp on the IP address assigned to that Layer 3 interface.
(The following PA-7000 Series NPCs only: PA-7000-20G-NPC, PA-7000-20GQ-NPC, PA-7000-20GXM-NPC, and PA-7000-20GQXM-NPC) Fixed an issue where an egress buffer overflow that impacted internal packet path monitoring caused a high availability (HA) failover. Additionally, enhancements were made to flow control communication between the traffic manager and flow engine components to improve system stability during periods of heavy traffic.
Fixed an issue with firewalls in an HA active/passive configuration where the firewall processed traffic in a suspended state.
Fixed an issue where an M-500 appliance still pushed the previously configured values even after you cleared the values in the Management Interface Settings (DeviceSetupInterfacesManagement) and configured new ones.
Fixed an issue where a failed commit or commit validation followed by a non-user-committed event (such as an FQDN refresh, an external dynamic list refresh, or an antivirus update) resulted in an unexpected change to the configuration that caused the firewall to drop traffic.
Fixed an intermittent issue on a PA-7000 Series firewall where auto-commits prematurely executed before all Network Processing Cards (NPCs) were detected and ready.
Fixed an issue on PA-7000 Series firewalls in a high availability (HA) active/active configuration where after a HA failover event the IP address rule list continuously duplicated entries and resulted in slow response times from the firewall and, eventually, caused the Network Processing Cards (NPCs) to restart.
Fixed an issue where SNMP Object identifier queries for hrStorageAllocationUnits returned negative values.
Fixed an issue where SaaS application usage reports were empty when you used special characters in naming zones.
Fixed an issue on a PA-7000 Series firewall where the Network Processing Card (NPC) rebooted due to a memory allocation issue.
Fixed an issue where a change in user-mapping information prevented the host information profile (HIP) from updating.
Fixed an issue where a firewall in an HA active/passive configuration did not send the Bidirectional Forwarding Detection (BFD) administrator down status after a manual failover.
Fixed an issue in an HA active/passive configuration where the hardware offload feature attempted to reinstall IPSec sessions for individual packets, which caused additional dataplane CPU loads on both the active and passive firewalls.
Fixed an issue on Panorama M-Series and virtual appliances where a qualifier configured for a custom application signature displayed the following error message: Unauthorized request.
Fixed an issue where a Captive Portal configured with RADIUS authentication failed when a username contained the "at" (@) character.
Fixed an issue where a library (libpam_pan.so) did not handle incorrect passwords as expected.
Fixed an issue in Panorama where a commit failed message appeared in the Template Last Commit column in the device management summary after a Panorama reboot or upgrade.
Fixed an issue on an M-100 appliance in an HA active/passive configuration where the schedules (DeviceDynamic Updates) were unresponsive after a failover or restart of the active firewall.
Fixed an issue where Path Monitoring for IPv6 ping packets was dropping packets.
A security-related fix was made to address three OpenSSL vulnerabilities: CVE-2018-0732, CVE-2018-0737, and CVE-2018-0739.
Fixed an issue on a firewall configured with RADIUS where the default timeout setting failed after an administrator entered credentials through the web interface.
Fixed an issue where the firewall incorrectly forwarded packets to upstream devices when it had no ARP entry for the destination IP address, which resulted in traffic outages caused by source MAC addresses that did not get updated as expected.
Fixed an issue on a PA-5000 Series firewall where SNMP values for received and transmitted bytes for Aggregate Ethernet (AE) subinterfaces returned incorrect values.
Fixed an issue on a PA-220 firewall in an HA active/passive configuration and with jumbo frames enabled (DeviceSetupSession) where configuration and dynamic updates failed to synchronize.
Fixed an issue where PA-3000 Series firewalls passed file descriptors in a dataplane process (pan_comm) during content (apps and threats) installation and FQDNRefresh job execution, which caused the hardware Layer 7 engine to identify applications incorrectly.
(PAN-OS® 8.0.8 and later releases) Fixed an issue where administrator setting did not change when appropriate after you imported a configuration.
Fixed an issue where you could not set the Captive Portal session timeout (DeviceSetupSession) to 60 seconds or longer without causing a browser redirect.
Fixed an issue where the firewall took longer than expected to update a URL category.
A security-related fix was made to the way the Linux kernel handles exceptions associated with MOV to SS and POP to SS instructions (CVE-2018-8897).
A security-related fix was made to prevent modification of attributes in a SAML Response packet.
Fixed an intermittent issue where the firewall did not rotate error logs correctly, which caused disk space issues.
Fixed an intermittent issue where a null pointer exception caused the configuration (configd) process to stop responding.
Fixed an issue where the static route was not reinstalled if you modified the path-monitoring hold time while the timer was active.
Fixed an issue where administrators with predefined roles and permission to save configuration changes were not able to save their changes.
Fixed an issue where PA-220 firewalls that were bootstrapped with a configuration that enabled jumbo frames did not change the packet buffer size as expected, which resulted in a dataplane restart.
Fixed an issue where a Panorama appliance returned the following error: mgmtsrvr: User restart reason - Virtual memory limit exceeded (8204808 > 8192000).
Fixed an intermittent issue on a PA-7000 Series firewall where the GlobalProtect LSVPN tunnel monitoring failed during re-key, which caused satellites to disconnect.
Fixed an issue where a firewall did not apply the configured NAT policy during a predicted RTSP session.
Fixed an intermittent issue where a process (mdb) stopped responding after a file cleanup failure.
Fixed an issue where administrators with Device Group and Template access were not able to modify the QoS interface (NetworkQoS).
Fixed an issue where a 500 Internal Server error occurred for traffic that matched a Security policy rule with a URL Filtering profile that specified a continue action (ObjectsSecurity ProfilesURL Filtering) because the firewall did not treat the API keys as binary strings.
Fixed an issue where a memory leak caused an out-of-memory (OOM) error.
Fixed an issue on Panorama M-Series and virtual appliances where the hash of the shared policy was incorrectly calculated, which caused an in-sync shared policy status to display as out-of-sync.
Fixed an issue where continuous renewal for a session that went into DISCARD state when the firewall reached its resource limit prevented the creation of new sessions that matched that DISCARD session.
Fixed an intermittent issue where VPN tunnels terminated due to IKE manager failures.
Fixed an issue where the firewall generated System logs with high severity for Dataplane under severe load conditions that did not affect traffic. With this fix, the System logs have low severity for Dataplane under severe load conditions that do not affect traffic.
Fixed an issue in an NSX environment where the Panorama management server displayed an incorrect number of tags under Dynamic Address Groups when you configured a static tag in one or more address groups.
Fixed an intermittent issue where a race condition caused the Logging Service or WF-500 appliances to disconnect from or become unresponsive to firewalls or the Panorama management server.
Fixed an issue where, when you tried to export a custom report and your Chrome or Firefox browser was configured to block popup windows, the firewall instead downloaded a Tech Support File to your client system.
Fixed an issue where the firewall didn't Block sessions with unsupported cipher suites based on Decryption policy rules for SSL Inbound Inspection when the rules referenced a Decryption Profile with a list of allowed ciphers that didn't match the ciphers that the destination server specified (ObjectsDecryptionDecryption Profile). With this fix, the firewall checks the ciphers of both the source client and destination server against the cipher list in Decryption profiles when evaluating whether to allow sessions based on Decryption policy.
Fixed an issue where the predict session for the RMI-IIOP application was not created correctly, which caused server-to-client initiated sessions to traverse slow-path inspection and, eventually, policy rules denied the traffic associated with these sessions.
Fixed an issue on PA-3000 Series firewalls where commits took longer than expected or failed because the pan_comm process stopped responding.
Fixed an issue on PA-3050, PA-3060, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls in an HA configuration where multicast sessions intermittently stopped forwarding traffic after HA failover on firewalls with hardware offloading enabled (default).
Fixed an issue where the show running ippool command stopped responding due to a conflict with packet processing and caused the Aggregate Ethernet (AE) interface to fail.
Fixed an issue where a firewall did not forward logs when using the category eq command-and-control filter.
A security-related fix was made to SAML authentication.
Fixed two issues on a firewall configured for GlobalProtect Clientless VPN:
Fixed an intermittent issue where operational commands executed by continuous API calls caused the firewall to stop responding with the following error message: op command for client timed out as client is not available.
|Fixed an intermittent issue with ZIP hardware offloading where firewalls identified ZIP files as threats when they were sent over Simple Mail Transfer Protocol (SMTP).|
Fixed an issue where the pan_task process resulted in a closed socket state caused by DPDK queries that were not flushed as expected.