PAN-OS 8.0.16 Addressed Issues

PAN-OS® 8.0.16 addressed issues
Issue ID
Fixed an issue in a WF-500 appliance cluster where the controller backup node was stuck in global-db-service: WaitingforLeaderReady status when you tried to add nodes to the cluster.
Fixed an issue on WF-500 appliances where the process (rsyncd) logs depleted root partition disk usage.
Fixed an issue where the push scope selection on the Panorama web interface displayed incorrectly even though the commit scope displayed as expected. This issue occurred when one administrator made configuration changes to separate device groups or templates that affected multiple firewalls and a different administrator attempted to push those changes.
Fixed an issue where the firewall sent RIP updates more frequently than expected.
Fixed an issue where GTP-U traffic dropped due to GTP TEID not updating properly during a GTP-C update.
Fixed an issue where the dataplane restarted when an IPsec rekey event occurred and caused a tunnel process (tund) failure when one--but not both--HA peers is running PAN-OS 8.0.14 or PAN-OS 8.1.5.
Fixed an issue on a firewall where a process (useridd) stopped responding due to excessive Security Assertion Markup Language (SAML) requests received.
Fixed an issue on a firewall where the Strict IP Address Check incorrectly triggered when you enabled ECMP (NetworkVirtual RoutersAddRouter settingsECMP).
Fixed an issue where PDP Delete Response packet did not match the GTPv1-C tunnel session, which caused the generated GTP log to display incorrect session data.
(Panorama M-Series and virtual appliances only) Fixed a rare issue where the web interface did not display new logs as expected because Elasticsearch (ES) stopped working when the Raid drives reached maximum capacity and the purge script to remove old ES indices failed to execute and make room for new indices. However, this issue also resulted in creation of new ES indices that were empty because the appliance could not read or write to them. With this fix, old indices are purged as expected; however, empty ES indices created before you upgraded to this release with this fix are not removed as expected (see known issue PAN-114041).
Fixed an issue where you were unable to push to managed firewalls because the Push Scope field (PanoramaManaged CollectorsCommitPush to Devices) did not display the managed firewalls.
Fixed an issue on a firewall where the process (all_pktproc) failed, which caused the dataplane to restart.
A security-related fix was made to address a denial of service (DoS) vulnerability in PAN-OS SNMP (CVE-2018-18065 / PAN-SA-2019-0007).
Fixed an issue where the dataplane restarted due to an internal path monitoring failure due to large SSL decrypted file transfer sessions.
Fixed an issue where the GTP Message Type Modify Bearer Response and GTP Event Code 124223 were denied due to failed stateful inspections.
Fixed an issue where the list of Panorama Managed Devices did not display (PanoramaDevice DeploymentLicenses).
A security-related fix was made to address the Linux Kernel Local Privilege Escalation vulnerability (CVE-2018-14634 / PAN-SA-2019-0006).
Fixed an intermittent issue where GTP logs did not display due to GTP packets with an APN > 14 bytes caused the traffic log to reach the limit and stopped generating logs.
Fixed an issue on a VM-50 firewall where an out of memory event caused the firewall to restart.
Fixed an issue on a firewall in an HA active/passive configuration where a process (all_task) failed due to a (bad_gtp_header) code on the passive firewall after upgrading from PAN-OS 8.0.12.
Fixed an issue on Panorama M-Series and virtual appliances where after you push a configuration to a firewall, the Task Manager did not display the progress.
Fixed an intermittent issue where a content install (content) caused a firewall configuration failure and the firewall to stop responding.
Fixed an issue on a firewall where a commit and FQDN refresh took longer than expected.
Fixed an issue where SNMP queries displayed incorrect values.
Fixed an issue where a DNS App-ID™ security policy allowed non-DNS traffic to flow through.
Fixed an intermittent issue where the session ID did not clear when the session ID is set to 0.
A security-related fix was made to address a development configuration file issue.
Fixed an issue where shadowed rule warnings did not display during commits.
Fixed an issue on Panorama management server in an HA active/passive configuration where a Commit (CommitCommit to Panorama) caused the firewalls to restart.
Fixed an issue where the firewall did not recognize the small form-factor pluggable (SFP) port, which caused the dataplane to restart when the path monitor process stopped responding.
To ensure a successful upgrade to PAN-OS 8.0.16 for this fix, re-seat all connected SFP transceivers and then follow the upgrade path described in the PAN-OS 8.0 upgrade procedure (PAN-OS 8.0 New Features Guide).
Fixed an issue where the firewall rebooted when the management (MGT) interface was connected to a network that contained a network loop, which caused excessive traffic flow on the interface. This issue was observed only on a PA-220 firewall.
Fixed an issue on a firewall where TCP reset packets were sent even after you set the vulnerability profile action to drop the packets.
(PA-200, PA-220, and PA-220R firewalls only) Fixed an issue with the Ethernet driver that caused the firewall to reboot when experiencing heavy broadcast traffic on the management interface.
Fixed an issue where GTP log query filters did not work when you filtered based on a value of unknown for the message type or GTP interface fields (MonitorLogsGTP).
Fixed an issue where the antivirus/anti-spyware block page did not display.
Fixed an intermittent issue on M-100 appliances where the firewall became unresponsive when multiple users are logged in at the same time.
Fixed an issue where HIP-related objects were missing transformation logic for OPSWAT on firewalls running a PAN-OS 8.0 release managed by a Panorama instance that was running a PAN-OS 8.1 release.
Fixed an issue where the firewall did not display a shadow rule warning for security policy rules when a more broad rule is configured above a more specific rule.
Fixed an issue where Security Assertion Markup Language (SAML) single sign-on (SSO) responses truncated group information when the field size exceeded 128 bytes, which caused the allow list check to fail.

Related Documentation