PAN-OS 8.0.2 Addressed Issues
PAN-OS 8.0.2 addressed issues
Fixed an issue where, as part of and after upgrading a WildFire appliance to a PAN-OS 8.0 release, using the
request cluster reboot-local-nodeCLI command to reboot a cluster node intermittently caused the node to go offline or fail to reboot.
Fixed an issue in a three-node WildFire appliance cluster where, if you decommissioned the backup controller node or the worker node (
request cluster decommission start) and then deleted the cluster-related configuration (high-availability and cluster membership) from the decommissioned node, the cluster intermittently stopped functioning. Running the
show cluster membershipCLI command on the primary controller node showed the message:
Service Summary: Cluster:offline, HA:peer-offline. In this state, the cluster did not function and did not accept new samples for processing.
Fixed an issue where, after you removed a node from a cluster that stored sample information on the node, the node serial number appeared in the list of storage nodes when you displayed the sample status (
show wildfire global sample-status sha256 equal) even though the node no longer belonged to the cluster.
Fixed an issue where integrated reports were not available for firewalls connected to a WF-500 appliance running in FIPS mode.
Fixed an issue where selecting
Reboot device after Installwhen upgrading WildFire appliance clusters from Panorama caused an ungraceful reboot that intermittently made the cluster unresponsive.
Fixed an issue where PA-3000 Series firewalls dropped long-lived sessions that were active during a content update followed immediately by an Antivirus or WildFire update.
Fixed an issue where Panorama did not automatically push the updated IP addresses of dynamic address groups from device groups to VM-Series firewalls for NSX.
Fixed an issue where Panorama running PAN-OS 8.0 did not push aggregate BGP configurations in a template to firewalls running PAN-OS 7.1 or an earlier release.
Fixed an issue where Security Lifecycle Review reports (
Generate Stats Dump Fileunder
) displayed incorrect subtype values due to Threat ID changes.
Fixed an issue where the firewall generated System logs of critical severity with the message
Could not connect to Cloud : SSL/TLS Authentication Failedeven though the firewall had no connection failures.
Fixed an issue where, after upgrading to PAN-OS 8.0.1, a
object with ten or more
Static Entriesthat mapped to the same IP address caused the firewall DNS daemon to restart, which prevented users from accessing applications that required DNS lookups.
Fixed an issue where Panorama incorrectly calculated the number of Terminal Services (TS) agent configurations to be beyond the maximum that the managed firewalls supported and then failed to push device group configurations after you upgraded Panorama to PAN-OS 8.0.1.
Fixed an issue where the firewall failed to retrieve user groups from an LDAP server because the server response did not have a page control value.
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where users could not access applications and services through GlobalProtect when session distribution was set to round robin (default).
Fixed an issue where firewalls were missing a GlobalProtect satellite configuration pushed from a Panorama template.
Fixed an issue where you had to configure a license deactivation API key to manually deactivate licenses for VM-Series firewalls.
Fixed an issue where the firewall stopped receiving IP port-to-username mappings from a Terminal Services (TS) agent if you set its
Hostfield to an FQDN instead of an IP address.
Fixed an issue where reports delivered through the Email Scheduler (
) displayed data totals as bytes instead of kilobytes (K), megabytes (M), or gigabytes (G), which made the totals hard to read.
Fixed an issue where the firewall could not decrypt SSL connections due to a cache issue, which prevented users from accessing SSL websites.
Fixed an issue where you could not delete a tunnel interface from a Panorama template (
Fixed an issue where you could not push a Management (MGT) interface configuration from a Panorama template (
) to firewalls unless you specified an
IP Addressfor the interface.
Fixed an issue on VM-Series firewalls where the dataplane restarted if jumbo frames were enabled on single root input/output virtualization (SR-IOV) interfaces.
Fixed an issue where the
routedprocess stopped responding after you checked the static route monitoring status through the web interface (
) or CLI (
Static Route Monitoring
show routing path-monitor).
Fixed an issue where the M-100 or M-500 appliance lost logs after upgrading from a PAN-OS 7.1 release to a PAN-OS 8.0 release.
Fixed an issue where the firewall did not accept local IPv6 addresses that were longer than 31 characters when you configured IPv6 BGP peering.
Fixed an issue where a regression introduced in PAN-OS 8.0.0 and 8.0.1 caused the firewall dataplane to restart in certain cases when combined with content updates. For details, including the relevance of content release version 709, refer to the associated Customer Advisory.
Fixed an issue on HA Panorama M-100 appliances where the passive peer did not update the local VMware NSX manager plugin after you upgraded from a PAN-OS 7.1 release to a PAN-OS 8.0 release, which caused a plugin mismatch with the active peer.
Fixed an issue where you could not set the authentication profile
) on a firewall in FIPS mode.
Fixed an issue where a management server memory leak caused several tasks to fail, including commits, PAN-DB URL downloads, dynamic updates, and FQDN or External Dynamic List (EDL) refreshes.
Fixed an issue where the Panorama management server restarted because the
configdprocess stopped running after an upgrade.
Fixed an issue where locally created certificates had duplicate serial numbers because the firewall did not check the serial numbers of existing certificates signed by the same CA when generating new certificates.
Fixed an issue where the firewall used the default route (instead of the next best available route) when the eBGP next hop was unavailable, which resulted in dropped packets. Additionally with this fix, the default time-to-live (TTL) value for a single hop eBGP peer is changed to 1 (instead of 2).
Fixed an issue where, after upgrading M-500 private cloud appliances to a release later than PAN-OS 8.0.0, queried URLs did not resolve to a category when they were a best match to an entry in the URL database that had many subdomains and path levels. With this fix, you can upgrade the appliances to PAN-OS 8.0.2; do not upgrade the appliances to PAN-OS 8.0.1.
Fixed an issue where Panorama took a long time to push configurations from multiple device groups to firewalls.
Fixed an issue where users experienced slow network connectivity due to CPU utilization spikes in the firewall network processing cards (NPCs) when the URL cache exceeded one million entries.
Fixed an issue where VM-Series firewalls failed to create predict sessions for RTP and RTCP, which disrupted H.323-based video conferencing traffic. Additionally, fixed an issue where all firewall models dropped RTP packets because policy matching failed for RTP traffic.
Fixed an issue where the
show running url-cache statisticsCLI command did not display enough information to diagnose issues related to URL category resolution. With this fix, the error messages indicate what failed and the exact point of failure.
Fixed an issue where the firewall did not release IP addresses assigned to interfaces after you changed the addressing
Fixed an issue where the Export Named Configuration dialog did not let you filter configuration snapshots by Name, which prevented you from selecting snapshots beyond the first 500. With this fix, you can now enter a filter string in the Name field to display any matching snapshots.
Fixed an issue where, in Decryption policy rules with an
No Decrypt, you could not use the web interface to set the decryption
Typefor matching traffic.
Fixed an issue on Panorama where the web interface became unresponsive after you selected
Export to CSVfor a custom report, which forced you to log in to the CLI and reboot Panorama or restart the management server.
Fixed an issue where commits failed due to configuration memory limits on firewalls that had numerous Security policy rules that referenced many address objects. With this fix, the number of address objects that a policy rule references does not impact configuration memory.
Fixed an issue where the User-ID process (
useridd) stopped responding when there were a lot of non-browser based requests from clients, which resulted in too many pan_errors disk writes.
Fixed an issue where conflicting next-hop entries in the egress routing table caused the firewall to incorrectly route traffic that matched Policy-Based Forwarding (PBF) policy rules configured to
Enforce Symmetric Return.
Fixed an issue where firewalls configured in a virtual wire deployment where Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets were dropped.
Fixed an issue where a session caused the dataplane to restart if the session was active during and after you installed a content update on the firewall and the update contained a decoder change.
Fixed an issue where pushing configurations from Panorama caused firewall management interfaces that were configured through DHCP to release or renew every time instead of when the DHCP leases expired.
Fixed an issue where App-ID signature matching did not work on the firewall, which caused it to misidentify applications.
A security-related fix was made to address OpenSSL vulnerabilities (CVE-2017-3731).
Fixed an issue where the VM-Series firewall on Azure supported only five interfaces (one management interface and four dataplane interfaces) instead of eight (one management interface and seven dataplane interfaces).
Fixed an issue where cookie-based authentication for the GlobalProtect gateway failed with the following error:
Invalid user name.
Fixed an issue where the firewall did not commit changes to the NTP servers configuration (
) if the firewall connected to the servers through a service route and the management (MGT) interface was down.
Fixed an issue where SSL Inbound Decryption failed when the private key was stored on a hardware security module (HSM).
Fixed an issue where the firewall did not purge expired IP address-to-username mappings, which caused one of the root partitions to run out of free space.
Fixed an issue where enabling encryption on the HA1 control link (
) and rebooting one HA firewall peer in an active/passive configuration caused split-brain to occur.
Fixed an issue on firewalls with multiple virtual systems where end users could not authenticate to a GlobalProtect portal or gateway that specified an authentication profile for which the Allow List referenced user groups instead of usernames.
Fixed an issue where, when the GlobalProtect
Portal Login Pagewas set to
) and the user entered
https://portalin the browser URL field, the browser redirected to https://portal/global-protect/login.esp, which exposed that the firewall functioned as a GlobalProtect VPN. With this fix, the firewall now responds with a 502 Bad Gateway response and does not expose the function of the firewall.
Fixed an issue where OSPF adjacency flapping occurred between the firewall and an OSPF peer due to a heavy processing load on the dataplane and queued OSPF hello packets.
Fixed an issue where HA failover and fail-back events terminated sessions that started before the failover.
Fixed an issue where the firewall displayed only part of the
URL Filtering Continue and Overrideresponse page.
A security-related fix was made to prevent brute-force attacks on the GlobalProtect external interface (CVE-2017-7945).
Fixed an issue where, after a DoS attack ended, the firewall continued generating Threat logs and incrementing the session drop counter.
Fixed an issue where high-volume SSL traffic intermittently added latency to SSL sessions.
Fixed an issue where URL values did not display for the top websites in URL Filtering reports (
Manage PDF Summary
Fixed an issue where the firewall failed to authenticate to a SafeNet hardware security module (HSM). With this fix, the firewall supports multiple SafeNet HSM client versions; you can use the
request hsm client-versionCLI command to select the version that is compatible with your SafeNet HSM server.
Fixed an issue where the firewall discarded long-lived SIP sessions after a content update, which disrupted SIP traffic.
Fixed an issue where users could not access a secure website if the certificate authority that signed the web server certificate also signed multiple certificates with the same subject name in the Default Trusted Certificate Authorities list on the firewall.
Updated PAN-OS to address NTP issues (CVE-2016-7433).
Fixed an issue where the firewall failed to authenticate to a SafeNet hardware security module (HSM) if the
) contained special characters.
Fixed an issue where GlobalProtect Clientless VPN did not work when its host was a GlobalProtect portal that you configured on an interface with
DHCP Clientenabled (
Fixed an issue where the M-Series appliances did not forward logs to a syslog server over TCP ports.
Fixed an issue where firewalls that had multiple virtual systems and that were deployed in an HA active/active configuration dropped TCP sessions.
Fixed an issue where, when the PAN-OS XML API sent IP address-to-username mappings with no timeout value to a firewall that had the
Enable User Identification Timeoutoption disabled, the firewall assigned the mappings a timeout of 60 minutes instead of never (
Palo Alto Networks User-ID Agent Setup
Fixed an issue where path monitoring failures did not produce enough information for troubleshooting. With this fix, PAN-OS supports additional debug commands and the tech support file (click
Generate Tech Support Fileunder
) includes additional registry values to troubleshoot path monitoring failures.
Fixed an issue on firewalls in an HA configuration where, when an end user accessed applications over a GlobalProtect clientless VPN, the web browser became unresponsive for about 30 seconds after a failover.
Fixed an issue where the firewall stopped forwarding logs to external services (such as a syslog server) after the firewall management server restarted unexpectedly.
Fixed an issue on PA-7000 Series, PA-5200 Series, and PA-5000 Series firewalls where end users who accessed applications over SSL VPN or IPSec tunnels through GlobalProtect experienced one-directional traffic.
Fixed an issue on PA-7000 Series firewalls where the Switch Management Card (SMC) restarted due to false positive conditions (ATA errors) detected during a disk check.
Fixed an issue where
displayed incorrect byte totals and hourly distribution when you filtered the report by
Destination User/Addressinstead of by
Fixed an issue on VM-Series firewalls where commit operations failed after you configured HA with the HA2 and HA3 interfaces.
Fixed an issue where the firewall could not use the certificates in its certificate store (
) after a manual or automatic commit, which caused certificate authentication to fail.
Fixed an issue where the User-ID agent incorrectly read the IP address in the security logs for Kerberos login events.
Fixed an issue where Panorama displayed the
Invalid term(device-group eq)error when you tried to display the logs for a specific device group.
Fixed an issue where the firewall failed to connect to an HTTP server using the HTTPS protocol when the CA certificate that validated the firewall certificate was in a specific virtual system instead of the Shared location.
Fixed an issue on VM-Series firewalls for NSX where the web interface let users specify a
Tag Allowedvalue for virtual wire interfaces (
), which caused a commit error because the option is not configurable on that firewall model. With this fix, the
Tag Allowedvalue has a read-only value of 0-4094 on VM-Series firewalls for NSX.
Fixed an issue where the syslog format for Correlation logs differed from the format of other log types, which prevented the firewall from integrating with some third-party syslog feeds.
Fixed an issue where new users that you added to an Active Directory (AD) user group intermittently failed to authenticate to the GlobalProtect portal.
Fixed an issue on HA firewalls where, if you enabled application-level gateway (ALG) for the Unistim application, VoIP calls that used the UNIStim protocol had only one-way audio after an HA failover event.
Fixed an issue on PA-7000 Series firewalls in a Layer 2 deployment where multicast sessions (such as HSRP) failed because PAN-OS did not reassign the sessions to an alternative Network Processing Card (NPC) if the original NPC was shut down.