End-of-Life (EoL)

PAN-OS 8.0.3 Addressed Issues

PAN-OS® 8.0.3 addressed issues
Issue ID
Description
WF500-4291
Fixed an issue where the WF-500 appliance returned false positives for known, benign Portable Executable (PE) files.
PAN-78448
Fixed an issue where the firewall dropped some logs that it was configured to forward to syslog servers.
PAN-77849
Fixed an issue where the Captive Portal web form did not display to end users after you pushed device group configurations from a Panorama management server running Panorama 8.0 to a firewall running PAN-OS 7.1.
PAN-77802
Fixed an issue where every commit cleared tunnel flow sessions such as GRE and IPSec ESP/AH sessions.
PAN-77520
Fixed an issue on PA-7000 Series firewalls with AMC hard drives, model ST1000NX0423, where the firewalls rebuilt Disk Pair B in the LPC card after a reboot.
PAN-77516
A security-related fix was made to address a Remote Code Execution (RCE) vulnerability when the PAN-OS DNS Proxy service resolved FQDNs (CVE-2017-8390).
PAN-77400
Fixed an issue on a firewall running PAN-OS 8.0.1 or 8.0.2 where you could not log in to the web interface after performing a private data reset.
PAN-77339
Fixed an issue where the SafeNet Client 6.2.2 did not support the necessary MAC algorithm (HMAC-SHA1) to work with Palo Alto Networks firewalls that ran in FIPS-CC mode.
PAN-77290
Fixed an issue where Panorama displayed a
missing vsys
error message when you tried to update dynamic address groups through PAN-OS XML API calls, even if you specified a virtual system.
PAN-77250
Fixed an issue where the firewall lost offloaded sessions on a subinterface that belonged to an aggregate interface group and that had QoS enabled.
PAN-77173
A security-related fix was made to prevent remote code execution within the Linux kernel that the firewall management plane uses (CVE-2016-10229).
PAN-77127
Fixed an issue where the firewall reduced the range of local and remote IKEv2 traffic selectors in a way that disrupted traffic in a VPN tunnel that a Cisco Adaptive Security Appliance (ASA) initiated.
PAN-77033
Fixed an issue where using a Panorama management server running PAN-OS 8.0 to generate a report that queried an unsupported log field from a PA-7050 firewall running PAN-OS 7.1 slowed the performance of Panorama because the
mgmtsrvr
process stopped responding.
PAN-76964
Fixed an issue where interfaces went down due to packet buffers being overwhelmed after the firewall tried to close the connection to a rogue client that ignored the URL Filtering block page.
PAN-76890
Fixed an issue where traffic that included a ZIP file caused the
all_task
process to restart and the firewall dropped packets while waiting for that process to resume.
PAN-76746
Fixed an issue on the PA-7080 firewall where authentication traffic from a wireless controller to a RADIUS server failed due to buffer depletion on the firewall.
PAN-76651
Fixed an issue where VM-Series firewalls dropped multicast traffic if you enabled Data Plane Development Kit (DPDK) on VMXNET3 interfaces.
PAN-76650
Fixed an issue where renaming a shared object on Panorama that Panorama has pushed to firewalls caused a commit failure if the firewalls referenced that object in local policies.
PAN-76615
Fixed an issue where Panorama failed to
Generate Tech Support File
(
Panorama
Support
).
PAN-76565
Fixed an issue where dynamic content updates failed on the firewall when DNS response times were slow.
PAN-76454
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where Generic Routing Encapsulation (GRE) session creation failed when the firewalls received GRE packets with a Point-to-Point Protocol (PPP) payload.
PAN-76330
Fixed an issue where the
pan_task
process stopped, which caused a loss of service and interruption to OSPF.
PAN-76271
Fixed an issue where you could not access the Panorama web interface or CLI because the
configd
process stopped after a
Preview Changes
operation (
Commit
Commit to Panorama
).
PAN-76184
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where disabling the option to
Turn on QoS feature on this interface
(
Network
QoS
) reduced throughput on 40Gbps interfaces.
PAN-76162
Fixed an issue where Panorama 8.0 did not display logs from PA-7000 Series firewalls running PAN-OS 7.0 or PAN-OS 7.1.
PAN-76158
Fixed an issue where the firewall, when processing heavy traffic, did not properly identify and block the Psiphon application when the Psiphon client was configured to use a specific source country.
PAN-76153
Fixed an issue where PA-5000 Series firewalls dropped traffic because predict sessions incorrectly matched Policy-Based Forwarding (PBF) policy rules for non-related sessions.
PAN-76144
Fixed an issue where throughput was reduced on PA-5000 Series firewalls that used a single UDP session on one dataplane to process high rates of tunneled traffic. With this fix, you can use the
set session filter-ip-proc-cpu
CLI command to use multiple dataplanes to process traffic for up to 32 destination server IP addresses. This setting persists after reboots and upgrades.
PAN-76032
Fixed an issue where the firewall web interface displayed a misspelling in the tooltip that opened when you hovered over
Commit
when no configuration changes were pending.
PAN-76003
A security-related fix was made to prevent cross-site scripting (XSS) attacks through the GlobalProtect external interface (CVE-2017-12416).
PAN-75977
Fixed an issue where users failed to authenticate through a Ucopia LDAP server.
PAN-75617
Fixed an issue where the firewall performed the default signature action for threat vulnerability exceptions instead of performing the
Action
you set in the Vulnerability Protection profile (
Objects
Security Profiles
Vulnerability Protection
Exceptions
).
PAN-75580
Fixed an issue where a PAN-OS XML API query to fetch all dynamic address groups failed with an
Openingand ending tag mismatch
error due to command buffer limitation.
PAN-75512
Fixed an issue where the firewall failed to decrypt VPN traffic for packets of certain sizes if you set the
Encryption
algorithm to
aes-256-gcm
in the IPSec Crypto profile used for the VPN tunnel (
Network
Network Profiles
IPSec Crypto
).
PAN-75413
Fixed an issue where DHCP servers did not assign IP addresses to new end users (DHCP clients) because the firewall failed to process and relay DHCP messages between the servers and clients after you configured a firewall interface as a DHCP relay agent.
PAN-75372
Fixed an issue where Panorama dropped all administrative users because the
management-server
process restarted.
PAN-75337
Fixed an issue where CPU usage spiked on the firewall during Diffie-Hellman (DHE) or elliptical curve Diffie-Hellman (ECDHE) key exchange for SSL decryption. With this fix, the firewall has enhanced performance for DHE and ECDHE key exchange.
PAN-75304
Fixed an issue where the firewall populated default values for IPSec Crypto profiles that did not have an
IPSec Protocol
(ESP or AH) defined (
Network
Network Profiles
IPSec Crypto
); the default values caused an IKE configuration parsing error that prevented IPSec VPN tunnels from coming up.
PAN-75215
Fixed an issue where the active firewall in an HA deployment kept sessions active for an hour instead of discarding them after 90 seconds when the sessions matched the URL category in a policy rule that was set to deny.
PAN-75158
Fixed an issue with network outages on firewalls in a virtual wire HA configuration with HA
Preemptive
failback enabled (
Device
High Availability
General
Election Settings
) due to Layer 2 looping after failover events while the firewalls processed broadcast traffic.
PAN-75154
Fixed an issue where the
Monitor
Traffic Map
displayed the Northwestern Somali region as Solomon Islands instead of Somalia.
PAN-75119
Fixed an issue where
IP Address Exemptions
in Anti-Spyware profiles (
Objects
Security Profiles
Anti-Spyware Profile
) did not work for certain threats.
PAN-75118
Fixed an issue where commits failed after you added an IPv6 peer group to a virtual router that had Border Gateway Protocol (BGP) enabled (
Network
Virtual Routers
BGP
Peer Group
) and that had import, export and aggregate rules configured.
PAN-75029
Fixed an issue where the PA-5060 firewall randomly dropped packets and displayed the reason in Traffic logs as
resources unavailable
.
PAN-74938
Fixed an issue on PA-3000 Series firewalls where SSL sessions failed due to memory depletion in the proxy memory pool; Traffic logs displayed the reason
decrypt-error
.
PAN-74865
Fixed an issue where Panorama could not push address objects to managed firewalls if zones specified the objects in the User Identification ACL include or exclude lists (
Network
Zones
) and if you configured Panorama not to
Share Unused Address and Service Objects with Devices
(
Panorama
Setup
Management
Panorama Settings
).
PAN-74639
Fixed an issue where the root partition on the firewall was low on disk space (requiring you to run the
debug dataplane packet-diag clear log log
CLI command to free disk space) because the
pan_task
process generated logs for H.225 sessions.
PAN-74601
Fixed an issue on Panorama where Device Group and Template administrators who had access domains assigned to their accounts could not edit shared security profiles (
Objects
Security Profiles
) after committing those profiles.
PAN-74579
Fixed an issue where the
debug dataplane internal pdt oct show-all
CLI command restarted the firewall dataplane.
PAN-74440
Fixed an issue where the firewall generated System logs indicating the
l3svc
process stopped repeatedly because the
cryptod
daemon deleted a certificate key associated with an
SSL/TLS Service Profile
that was used for the URL Admin Override feature (
Device
Setup
Content ID
) or for Captive Portal (
Device
User Identification
Captive Portal Settings
).
PAN-74369
Fixed an issue where modifying the
BFD
profile in a virtual router (
Network
Virtual Routers
) caused the
routed
process to stop.
PAN-74334
Fixed an issue on Panorama where the
replace device
CLI command did not replace the serial numbers of firewalls that policy rules referenced as targets.
PAN-74243
Fixed an issue where, after you used a Panorama template to push DNS server IP addresses (
Device
Setup
Services
) to a bootstrapped VM-Series firewall, the firewall failed to resolve FQDNs.
PAN-73919
Fixed an issue where you could not use the web interface or CLI to configure a multicast IP address as the Source or Destination in packet filters (
Monitor
Packet Capture
).
PAN-73916
Fixed an issue where, after you logged in to the firewall with an administrator account that does not have a superuser role and you then tried to
Disable
an application (
Objects
Applications
<application-name>
), the firewall displayed an error message that did not indicate the need for superuser privileges.
PAN-73707
Fixed an issue where you could not generate a SCEP certificate if the
SCEP Challenge
(password) had a semicolon (
Device
Certificate Management
SCEP
).
PAN-73631
Fixed an issue where end user clients failed on their first attempt to authenticate when you configured Captive Portal for certificate-based authentication and the client certificates exceeded 2,000 bytes.
PAN-73556
Fixed an issue where the firewall did not delete multicast forwarding information base (FIB) entries for multicast groups that stopped receiving traffic.
PAN-73551
Fixed an issue where commits failed with the error
syntax error [kmp_sa_lifetime_time ;]
if the firewall had IKE Crypto profiles without a
Key Lifetime
defined (
Network
Network Profiles
IKE Crypto
).
PAN-73548
Fixed an issue where the firewall used the global service route (
Device
Setup
Services
Global
) instead of service routes defined for specific virtual systems (
Device
Setup
Services
Virtual Systems
) if you configured
Device
Server Profiles
in the Shared location.
PAN-73484
Fixed an issue where the firewall server process (
devsrvr
) restarted during URL updates.
PAN-73281
Fixed an issue where the firewall dropped multicast traffic on an egress VLAN interface when the traffic was offloaded.
PAN-73254
Fixed an issue where, after you installed the VMware NSX plugin on Panorama in a high availability (HA) configuration, Panorama did not automatically synchronize configuration changes between the HA peers unless you first updated settings related to the NSX plugin.
PAN-73184
Fixed an issue where successive HTTP GET requests in a single session failed if you configured SSL Decryption with the
Strip X-Forwarded-For
option enabled (
Device
Setup
Content-ID
).
PAN-72946
Fixed an issue where HA firewalls displayed as
out of sync
if an
SSL/TLS Service Profile
without a certificate was assigned to the management (MGT) interface (
Device
Setup
Management
). With this fix, PAN-OS unassigns the
SSL/TLS Service Profile
if it doesn't have a certificate.
PAN-72863
Fixed an issue where the PAN-OS integrated User-ID agent or Windows-based User-ID agent stopped responding because the firewall sent numerous queries
PAN-72753
Fixed an issue where you could not configure the 0.0.0.0/1 subnet as a Proxy ID for IPSec VPN tunnels.
PAN-72433
Fixed an issue where the PA-7050 firewall displayed incorrect information for the packet counts and number of bytes associated with traffic on subinterfaces. With this fix, the firewall displays the correct information in the
show interface
CLI command output and in other sources of information for subinterfaces (such as SNMP statistics and NetFlow record exports).
PAN-72258
Fixed an issue where pushing an ARP load-sharing configuration (
Device
High Availability
Active/Active Config
Virtual Address
) from Panorama to a firewall deleted it from the firewall.
PAN-71922
Fixed an issue where the firewall did not generate Threat logs for classified DOS protection profiles that had an
Action
set to
SYN Cookies
(
Objects
Security Profiles
DoS Protection
Flood Protection
SYN Flood
).
PAN-71535
Fixed an issue on Panorama where
Panorama
Device Deployment
Software
stopped displaying software images for a release after you performed a manual
Upload
for a software image of that release.
PAN-71133
Fixed an issue on where the dataplane rebooted after multiple dataplane processes restarted due to memory corruption.
PAN-69449
Fixed an issue where, after a clock change on the firewall (such as for Daylight Savings Time), the
ACC
did not display information for time periods before the change.
PAN-68808
Fixed an issue on the PA-7050 firewall where the
mprelay
process experienced a memory leak and stopped responding, which caused slot failures and HA failover.
PAN-68580
Fixed an issue where HA VM-Series firewalls displayed the wrong link state after a link-monitoring failure.
PAN-66076
Fixed an issue where the GlobalProtect portal prompted end users to enter a one-time password (OTP) even after the users entered the OTP for the GlobalProtect gateway and Authentication Override is enabled (
Network
GlobalProtect
Portals
<portal-configuration>
Agent
<agent-configuration>
Authentication
).
PAN-64639
Fixed an issue where HA firewalls failed to synchronize the PAN-DB URL database.
PAN-62159
Fixed an issue where the firewall did not generate WildFire Submission logs when the number of cached logs exceeded storage resources on the firewall.
PAN-59372
Fixed an issue where neither Panorama nor the firewall generated a System log indicating a password change after you used a Panorama template to push an administrator password change to the firewall.
PAN-56287
Fixed an issue where the firewall discarded VoIP sessions that had multicast destinations.
PAN-46374
Fixed an issue on PA-7000 Series firewalls where you had to power cycle the Switch Management Card (SMC) when it failed to come up after a soft reboot (such as after upgrading the PAN-OS software).

Recommended For You