PAN-OS 8.0.3 Addressed Issues
PAN-OS® 8.0.3 addressed issues
Fixed an issue where the WF-500 appliance returned false positives for known, benign Portable Executable (PE) files.
Fixed an issue where the firewall dropped some logs that it was configured to forward to syslog servers.
Fixed an issue where the Captive Portal web form did not display to end users after you pushed device group configurations from a Panorama management server running Panorama 8.0 to a firewall running PAN-OS 7.1.
Fixed an issue where every commit cleared tunnel flow sessions such as GRE and IPSec ESP/AH sessions.
Fixed an issue on PA-7000 Series firewalls with AMC hard drives, model ST1000NX0423, where the firewalls rebuilt Disk Pair B in the LPC card after a reboot.
A security-related fix was made to address a Remote Code Execution (RCE) vulnerability when the PAN-OS DNS Proxy service resolved FQDNs (CVE-2017-8390).
Fixed an issue on a firewall running PAN-OS 8.0.1 or 8.0.2 where you could not log in to the web interface after performing a private data reset.
Fixed an issue where the SafeNet Client 6.2.2 did not support the necessary MAC algorithm (HMAC-SHA1) to work with Palo Alto Networks firewalls that ran in FIPS-CC mode.
Fixed an issue where Panorama displayed a
missing vsyserror message when you tried to update dynamic address groups through PAN-OS XML API calls, even if you specified a virtual system.
Fixed an issue where the firewall lost offloaded sessions on a subinterface that belonged to an aggregate interface group and that had QoS enabled.
A security-related fix was made to prevent remote code execution within the Linux kernel that the firewall management plane uses (CVE-2016-10229).
Fixed an issue where the firewall reduced the range of local and remote IKEv2 traffic selectors in a way that disrupted traffic in a VPN tunnel that a Cisco Adaptive Security Appliance (ASA) initiated.
Fixed an issue where using a Panorama management server running PAN-OS 8.0 to generate a report that queried an unsupported log field from a PA-7050 firewall running PAN-OS 7.1 slowed the performance of Panorama because the
mgmtsrvrprocess stopped responding.
Fixed an issue where interfaces went down due to packet buffers being overwhelmed after the firewall tried to close the connection to a rogue client that ignored the URL Filtering block page.
Fixed an issue where traffic that included a ZIP file caused the
all_taskprocess to restart and the firewall dropped packets while waiting for that process to resume.
Fixed an issue on the PA-7080 firewall where authentication traffic from a wireless controller to a RADIUS server failed due to buffer depletion on the firewall.
Fixed an issue where VM-Series firewalls dropped multicast traffic if you enabled Data Plane Development Kit (DPDK) on VMXNET3 interfaces.
Fixed an issue where renaming a shared object on Panorama that Panorama has pushed to firewalls caused a commit failure if the firewalls referenced that object in local policies.
Fixed an issue where Panorama failed to
Generate Tech Support File(
Fixed an issue where dynamic content updates failed on the firewall when DNS response times were slow.
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where Generic Routing Encapsulation (GRE) session creation failed when the firewalls received GRE packets with a Point-to-Point Protocol (PPP) payload.
Fixed an issue where the
pan_taskprocess stopped, which caused a loss of service and interruption to OSPF.
Fixed an issue where you could not access the Panorama web interface or CLI because the
configdprocess stopped after a
Preview Changesoperation (
Commit to Panorama
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where disabling the option to
Turn on QoS feature on this interface(
) reduced throughput on 40Gbps interfaces.
Fixed an issue where Panorama 8.0 did not display logs from PA-7000 Series firewalls running PAN-OS 7.0 or PAN-OS 7.1.
Fixed an issue where the firewall, when processing heavy traffic, did not properly identify and block the Psiphon application when the Psiphon client was configured to use a specific source country.
Fixed an issue where PA-5000 Series firewalls dropped traffic because predict sessions incorrectly matched Policy-Based Forwarding (PBF) policy rules for non-related sessions.
Fixed an issue where throughput was reduced on PA-5000 Series firewalls that used a single UDP session on one dataplane to process high rates of tunneled traffic. With this fix, you can use the
set session filter-ip-proc-cpuCLI command to use multiple dataplanes to process traffic for up to 32 destination server IP addresses. This setting persists after reboots and upgrades.
Fixed an issue where the firewall web interface displayed a misspelling in the tooltip that opened when you hovered over
Commitwhen no configuration changes were pending.
A security-related fix was made to prevent cross-site scripting (XSS) attacks through the GlobalProtect external interface (CVE-2017-12416).
Fixed an issue where users failed to authenticate through a Ucopia LDAP server.
Fixed an issue where the firewall performed the default signature action for threat vulnerability exceptions instead of performing the
Actionyou set in the Vulnerability Protection profile (
Fixed an issue where a PAN-OS XML API query to fetch all dynamic address groups failed with an
Openingand ending tag mismatcherror due to command buffer limitation.
Fixed an issue where the firewall failed to decrypt VPN traffic for packets of certain sizes if you set the
aes-256-gcmin the IPSec Crypto profile used for the VPN tunnel (
Fixed an issue where DHCP servers did not assign IP addresses to new end users (DHCP clients) because the firewall failed to process and relay DHCP messages between the servers and clients after you configured a firewall interface as a DHCP relay agent.
Fixed an issue where Panorama dropped all administrative users because the
Fixed an issue where CPU usage spiked on the firewall during Diffie-Hellman (DHE) or elliptical curve Diffie-Hellman (ECDHE) key exchange for SSL decryption. With this fix, the firewall has enhanced performance for DHE and ECDHE key exchange.
Fixed an issue where the firewall populated default values for IPSec Crypto profiles that did not have an
IPSec Protocol(ESP or AH) defined (
); the default values caused an IKE configuration parsing error that prevented IPSec VPN tunnels from coming up.
Fixed an issue where the active firewall in an HA deployment kept sessions active for an hour instead of discarding them after 90 seconds when the sessions matched the URL category in a policy rule that was set to deny.
Fixed an issue with network outages on firewalls in a virtual wire HA configuration with HA
Preemptivefailback enabled (
) due to Layer 2 looping after failover events while the firewalls processed broadcast traffic.
Fixed an issue where the
displayed the Northwestern Somali region as Solomon Islands instead of Somalia.
Fixed an issue where
IP Address Exemptionsin Anti-Spyware profiles (
) did not work for certain threats.
Fixed an issue where commits failed after you added an IPv6 peer group to a virtual router that had Border Gateway Protocol (BGP) enabled (
) and that had import, export and aggregate rules configured.
Fixed an issue where the PA-5060 firewall randomly dropped packets and displayed the reason in Traffic logs as
Fixed an issue on PA-3000 Series firewalls where SSL sessions failed due to memory depletion in the proxy memory pool; Traffic logs displayed the reason
Fixed an issue where Panorama could not push address objects to managed firewalls if zones specified the objects in the User Identification ACL include or exclude lists (
) and if you configured Panorama not to
Share Unused Address and Service Objects with Devices(
Fixed an issue where the root partition on the firewall was low on disk space (requiring you to run the
debug dataplane packet-diag clear log logCLI command to free disk space) because the
pan_taskprocess generated logs for H.225 sessions.
Fixed an issue on Panorama where Device Group and Template administrators who had access domains assigned to their accounts could not edit shared security profiles (
) after committing those profiles.
Fixed an issue where the
debug dataplane internal pdt oct show-allCLI command restarted the firewall dataplane.
Fixed an issue where the firewall generated System logs indicating the
l3svcprocess stopped repeatedly because the
cryptoddaemon deleted a certificate key associated with an
SSL/TLS Service Profilethat was used for the URL Admin Override feature (
) or for Captive Portal (
Captive Portal Settings
Fixed an issue where modifying the
BFDprofile in a virtual router (
) caused the
routedprocess to stop.
Fixed an issue on Panorama where the
replace deviceCLI command did not replace the serial numbers of firewalls that policy rules referenced as targets.
Fixed an issue where, after you used a Panorama template to push DNS server IP addresses (
) to a bootstrapped VM-Series firewall, the firewall failed to resolve FQDNs.
Fixed an issue where you could not use the web interface or CLI to configure a multicast IP address as the Source or Destination in packet filters (
Fixed an issue where, after you logged in to the firewall with an administrator account that does not have a superuser role and you then tried to
Disablean application (
), the firewall displayed an error message that did not indicate the need for superuser privileges.
Fixed an issue where you could not generate a SCEP certificate if the
SCEP Challenge(password) had a semicolon (
Fixed an issue where end user clients failed on their first attempt to authenticate when you configured Captive Portal for certificate-based authentication and the client certificates exceeded 2,000 bytes.
Fixed an issue where the firewall did not delete multicast forwarding information base (FIB) entries for multicast groups that stopped receiving traffic.
Fixed an issue where commits failed with the error
syntax error [kmp_sa_lifetime_time ;]if the firewall had IKE Crypto profiles without a
Key Lifetimedefined (
Fixed an issue where the firewall used the global service route (
) instead of service routes defined for specific virtual systems (
) if you configured
in the Shared location.
Fixed an issue where the firewall server process (
devsrvr) restarted during URL updates.
Fixed an issue where the firewall dropped multicast traffic on an egress VLAN interface when the traffic was offloaded.
Fixed an issue where, after you installed the VMware NSX plugin on Panorama in a high availability (HA) configuration, Panorama did not automatically synchronize configuration changes between the HA peers unless you first updated settings related to the NSX plugin.
Fixed an issue where successive HTTP GET requests in a single session failed if you configured SSL Decryption with the
Strip X-Forwarded-Foroption enabled (
Fixed an issue where HA firewalls displayed as
out of syncif an
SSL/TLS Service Profilewithout a certificate was assigned to the management (MGT) interface (
). With this fix, PAN-OS unassigns the
SSL/TLS Service Profileif it doesn't have a certificate.
Fixed an issue where the PAN-OS integrated User-ID agent or Windows-based User-ID agent stopped responding because the firewall sent numerous queries
Fixed an issue where you could not configure the 0.0.0.0/1 subnet as a Proxy ID for IPSec VPN tunnels.
Fixed an issue where the PA-7050 firewall displayed incorrect information for the packet counts and number of bytes associated with traffic on subinterfaces. With this fix, the firewall displays the correct information in the
show interfaceCLI command output and in other sources of information for subinterfaces (such as SNMP statistics and NetFlow record exports).
Fixed an issue where pushing an ARP load-sharing configuration (
) from Panorama to a firewall deleted it from the firewall.
Fixed an issue where the firewall did not generate Threat logs for classified DOS protection profiles that had an
Fixed an issue on Panorama where
stopped displaying software images for a release after you performed a manual
Uploadfor a software image of that release.
Fixed an issue on where the dataplane rebooted after multiple dataplane processes restarted due to memory corruption.
Fixed an issue where, after a clock change on the firewall (such as for Daylight Savings Time), the
ACCdid not display information for time periods before the change.
Fixed an issue on the PA-7050 firewall where the
mprelayprocess experienced a memory leak and stopped responding, which caused slot failures and HA failover.
Fixed an issue where HA VM-Series firewalls displayed the wrong link state after a link-monitoring failure.
Fixed an issue where the GlobalProtect portal prompted end users to enter a one-time password (OTP) even after the users entered the OTP for the GlobalProtect gateway and Authentication Override is enabled (
Fixed an issue where HA firewalls failed to synchronize the PAN-DB URL database.
Fixed an issue where the firewall did not generate WildFire Submission logs when the number of cached logs exceeded storage resources on the firewall.
Fixed an issue where neither Panorama nor the firewall generated a System log indicating a password change after you used a Panorama template to push an administrator password change to the firewall.
Fixed an issue where the firewall discarded VoIP sessions that had multicast destinations.
Fixed an issue on PA-7000 Series firewalls where you had to power cycle the Switch Management Card (SMC) when it failed to come up after a soft reboot (such as after upgrading the PAN-OS software).
Recommended For You
Recommended videos not found.