PAN-OS 8.0.7 Addressed Issues
PAN-OS® 8.0.7 addressed issues
Fixed an issue where WildFire® intermittently returned incorrect verdicts for Microsoft Office documents opened in Protected View mode.
Fixed an issue where a cluster of WF-500 appliances that did not have a WildFire public cloud explicitly defined in their configurations randomly disabled public cloud communication, causing cluster commits to fail. With this fix, WF-500 appliances in a cluster always connect to wildfire.paloaltonetworks.com when you don't specify a WildFire public cloud in their configurations.
Fixed an issue on a WildFire appliance cluster in a high availability (HA) configuration where the VM interface on the passive HA peer allowed inbound SSH connections.
A security-related fix was made to prevent the decryption of captured sessions through the ROBOT attack (CVE-2017-17841).
Fixed an issue where VM-Series and PA-5200 Series firewalls prevented the setup of GTPv2-C tunnels when create session response messages had GTP cause value 18, which the firewall associated with stateful failure. With this fix, the firewalls recognize messages with that cause value as normal.
Fixed an issue where PA-5220 and PA-5250 firewalls did not support the correct number of policy rules for Security, Decryption, Application Override, QoS, and Tunnel Inspection policy.
Fixed an issue where PA-5200 Series firewalls intermittently dropped packets in Generic Routing Encapsulation (GRE) tunnels that used Point-to-Point Tunneling Protocol (PPTP).
Fixed an issue where PA-7000 Series, PA-5200 Series, and PA-5000 Series firewalls dropped packets in VPN tunnels when processing the tunnels and traffic on separate dataplanes within the same firewall.
Fixed an issue where the firewall reset memory usage every day because the logrcvr process had a memory leak.
Fixed an issue on a Panorama management server where the web interface became inaccessible because PAN-OS did not delete temporary files and therefore the root partition ran out of free storage space.
Fixed an issue on VM-Series firewall on Azure where a virtual network interface card (vNIC) driver introduced a TCP packet out-of-order condition that reduced throughput.
Fixed an issue where selecting to Generate Tech Support File (DeviceSupport) caused Bidirectional Forwarding Detection (BFD) flapping while the firewall generated the file.
Fixed an issue on the Panorama management server where the following PAN-OS XML API call caused the configd process to stop responding after you changed the Panorama configuration but did not yet commit the change:
Fixed an issue on PA-5200 Series firewalls where the dataplanes did not have enough memory to support large configurations.
Fixed an issue where importing a firewall configuration into a Panorama management server deleted certain Panorama shared objects.
Fixed an issue where commits and other operations failed because the mprelay process stopped responding after you committed an interface configuration change after loading a configuration, reverting to the running configuration, or restarting the management server.
Fixed an issue where firewalls in an active/active HA configuration dropped Q-in-Q traffic (traffic with nested VLAN tags) when traversing the HA3 interface.
Fixed an issue where end users encountered application failures because child TCP sessions closed prematurely after their parent UDP sessions closed.
Fixed an issue where the Panorama management server displayed No HIP Report Found when you clicked the log details icon (magnifying glass) for host information profile (HIP) logs.
Fixed an issue on PA-5000 Series firewalls running PAN-OS 8.0.5 or a later release where insufficient proxy memory caused decryption failures and prevented users from accessing the GlobalProtect portal or gateway.
Fixed an issue where the firewall or Panorama management server did not display an error message when it ran out of free disk space, so commits failed without explanation. With this fix, the firewall or Panorama aborts commits before starting them when it has insufficient free disk space.
Fixed an issue where the User-ID process (useridd) produced an error message (Server error : Client useridd not ready) and stopped responding during a commit operation.
Fixed an issue where the firewall could not refresh external dynamic lists (EDLs) through a proxy server.
Fixed an issue where, after the Panorama management server successfully downloaded a scheduled content update but firewalls or Log Collectors could not automatically retrieve and install the update at the scheduled time (because of temporary connection issues for example), Panorama did not display an Action option to Install the update manually (PanoramaDevice DeploymentDynamic Updates).
Fixed an issue on the Panorama management server where you could not use the web interface to install a GlobalProtect Cloud Services plugin after modifying the plugin filename.
Fixed an issue where PAN-OS indicated the master key was invalid when you configured it to use an ampersand (&) character. With this fix, the ampersand is an allowed character in the master key.
Fixed an issue on firewalls in an active/passive HA configuration with link or path monitoring enabled where a failover resulting from a link or path failure intermittently caused PAN-OS to delete host, connected, static, and dynamic routes (both OSPF and BGP) from the forwarding information base (FIB) on the firewall peer that became active. The failover also caused PAN-OS to intermittently send unnecessary BGP withdrawal messages to BGP peers. With this fix, you can prevent these issues by using the new set system setting delay-interface-process interface<interface-name> delay<0-5000> CLI command (default is 0ms; range is 0 to 5000ms). This command specifies a delay period, after a link fails and before PAN-OS brings down its associated interface, to give enough time after failover for the newly active firewall HA peer to become fully active and to synchronize the correct route information with its peer. In most deployments, the best practice is to set the delay to a period that is greater than the sum of the Promotion Hold Time (default 2000ms) and Monitor Fail Hold Up Time (default 0ms).
A security-related fix was made to prevent a cross-site scripting (XSS) attack through the PAN-OS Captive Portal (CVE-2017-16878).
Fixed an issue where the firewall failed to retrieve a domain list from an external dynamic list (EDL) server over a TLSv1.0 connection.
Fixed an issue where end users could not access applications and services due to DNS resolution failures that occurred because the firewall associated the destination port with Bidirectional Forwarding Detection (BFD) packets instead of DNS packets.
Fixed an issue where the Panorama management server did not push changes to the Content Update Server value of WildFire clusters after a commit on the WF-500 appliances in that cluster (PanoramaManaged WildFire ClustersGeneral).
Fixed an issue where selecting Check Now in DeviceDynamic Updates caused PAN-OS to apply a global configuration lock that prevented any administrators from performing tasks on the firewall while it checked the Palo Alto Networks Update Server for new content updates. With this fix, PAN-OS no longer locks the configuration when checking for content updates.
Fixed an issue where the firewall misidentified Signiant-based traffic as HTTP-proxy traffic and therefore did not apply policy correctly to that traffic.
Fixed an issue where high packet-descriptor utilization caused the firewall to drop traffic over an IPSec tunnel that used the Authentication Header protocol for key exchange.
Fixed an issue on firewalls with Decryption policy enabled where intermittent packet loss and decryption failures occurred because the firewall depleted its software packet buffer pool.
Fixed an issue on the Panorama management server where the Task Manager displayed Commit, Download, and Software Install tasks as stuck in a pending state after the configd process restarted.
This issue is not fixed for the Commit All task, which remains stuck at 0% completion after configd restarts.
Fixed an issue where the Panorama management server failed to download scheduled content or Antivirus updates that overlapped with other scheduled downloads.
Fixed an issue where, after the Panorama management server rebooted, it deleted known hosts for SSH sessions and therefore disrupted scheduled configuration exports (PanoramaScheduled Config Export).
Fixed an issue where, after a NetApp NFS server was temporarily unreachable, NetApp NFS clients failed to reconnect to it because the firewall blocked the challenge ACK signal required for RFC-5961 sessions. With this fix, you must run the set deviceconfig setting tcp allow-challenge-ack yes CLI command in configuration mode to enable NFS clients to reconnect with the NFS server in cases where new connections are required.
Fixed an issue on the Panorama management server where the management server restarted because the configd process stopped responding due to memory corruption.
Fixed an issue where Data Filtering logs did not display files that had spaces in their filenames.
Fixed an issue on PA-5200 Series firewalls where missing LACP packets caused aggregate Ethernet groups to intermittently drop interfaces.
Fixed an issue on M-Series appliances where, after you upgraded the Panorama software or added logging disks of varying sizes, the appliances stopped collecting logs from firewalls because uneven log distribution across the logging disks caused the used storage on one disk to approach the maximum capacity.
Fixed an issue where a firewall on which you enabled GTP inspection allowed malformed GTP packets with invalid IMSI or MSISDN numbers to pass inspection.
Fixed an issue where, after you enabled Captive Portal, the firewall stopped logging traffic for applications it identified as incomplete or undecided for unknown users (users that User-ID has not mapped to IP addresses).
Fixed an issue where a commit failed after you increased the number of external dynamic list (EDL) objects.
Fixed an issue on Panorama Log Collectors where the show log-collector-es-indices CLI command displayed errors. Also fixed an issue where Collector Groups with log redundancy enabled started deleting the oldest logs when the used storage on Log Collectors approached half the maximum capacity instead of when used storage approached the full maximum capacity.
Fixed an issue on the Panorama management server where System logs did not record disconnections with managed firewalls.
Fixed an issue where the firewall intermittently dropped username-to-group mappings, which disrupted how it applied group-based policies.
Fixed an issue where the firewall exported a configuration file of 0 bytes when you used the firewall web interface to export a configuration file (SetupOperations).
Fixed an issue where the VM-Series firewall on AWS GovCloud did not support bootstrapping.
Fixed an issue where the firewall blocked access to HTTPS websites that had DigiCert-signed certificates after you configured SSL Forward Proxy decryption, configured the firewall to Block sessions with unknown certificate status (ObjectsDecryption ProfileSSL DecryptionSSL Forward Proxy), and configured certificate status validation through certificate revocation lists (CRLs).
Fixed an issue where the firewall management plane or control plane continuously rebooted after an upgrade to PAN-OS 8.0, and displayed the following error message: rcu_sched detected stalls on CPUs/tasks.
Fixed an issue where PA-5000 Series firewalls in an active/active HA configuration intermittently dropped packets due to a race condition that occurred when the session owner and session setup were on different HA peers.
Fixed an issue where PA-5020 firewalls supported a maximum bandwidth (Egress Max) of only 1Gbps for classes of service (NetworkNetwork ProfilesQoS). With this fix, the egress max limit is 8Gbps on PA-5020 firewalls and 16Gbps on PA-5050 and PA-5060 firewalls.
Fixed an issue where the firewall did not display a warning when you deleted a shared object that Security policy rules used. With this fix, the firewall displays a message indicating that policy rules use the shared object you are trying to delete and prevents you from deleting that object until you remove it from policy rules.
Fixed an issue where the Panorama management server failed to perform scheduled exports of configuration files to an FTP server (PanoramaScheduled Config Export).
A security-related fix was made to prevent a cross-site scripting (XSS) vulnerability in GlobalProtect (CVE-2017-15941).
Fixed an issue where a firewall configured as a DNS proxy (NetworkDNS Proxy) failed to resolve an address object with the Type set to FQDN and a name that ended with a period (ObjectsAddresses).
Fixed an issue where commits failed because the logrcvr process restarted continuously on firewalls that had NetFlow exports configured.
Fixed an issue where firewalls that performed SSL decryption slowed the download of large files over HTTPS on macOS endpoints.
Fixed an issue where the VM-Series firewall lost OSPF adjacency with a peer device because the firewall dropped large OSPF link state packets.
Fixed an issue where the Panorama management server failed to push configuration changes filtered by administrator to managed firewalls after you configured Panorama to not Share Unused Address and Service Objects with Devices.
Fixed an issue where administrators whose roles have the Privacy privilege disabled (DeviceAdmin RolesWeb UI) can view details about source IP addresses and usernames in scheduled reports.
Fixed an issue where VM-Series firewalls in an active/passive HA configuration added a delay in traffic once every minute while sending Gratuitous Address Resolution Protocol (GARP) packets after you set the Link State to down on a Layer 3 interface (NetworkInterfacesEthernet<interface>Advanced).
Fixed an issue where the User-ID agent mapped IP addresses to incorrect (obscured) usernames when the firewall authenticated users through a SAML identity provider (IdP) that excluded the username attribute from SAML assertions and used a persistent name-identifier policy (NameIDPolicy). With this fix, the firewall no longer mandates a transient NameIDPolicy for SAML assertions; the NameIDPolicy is entirely at the discretion of the IdP.
An IdP that excludes the username attribute and has a transient NameIDPolicy still sends obscured usernames to the firewall.
Fixed an issue where Data Filtering logs showed incorrect file names for file uploads and downloads.
Fixed an issue where numerous simultaneous LDAP connections (in the order of tens or more) caused the connections between firewalls and User-ID agents to become stuck in the connecting state.
Fixed an issue where the Panorama management server restarted after you ran the replace device old <old_SN#> new <new_SN#> CLI command to replace the serial number of an old managed firewall with that of a new managed firewall.
Fixed an issue where firewalls ran out of disk space because they did not purge logs quickly enough.
Fixed an issue where the firewall applied case sensitivity when matching domain names when you selected to Use domain to determine authentication profile in an authentication sequence (DeviceAuthentication Sequence). With the fix, the name matching is case insensitive: users can log into to a Windows domain system using a domain name with upper or lower case characters.
Fixed an issue where committing configuration changes took longer than expected when you configured Security policy rules with combinations of applications and service ports.
Fixed an issue where the firewall did not apply your changes in HIP objects and profiles to Security policy rules and HIP Match logs unless GlobalProtect clients reconnected to the GlobalProtect gateway.
Fixed an issue on the Panorama management server where the members count became zero for all existing shared address groups after you imported a firewall configuration.
Fixed an issue where the firewall treated an address object as a region object when the address object had the same name as a deleted region object.
Fixed an issue on the Panorama management server and firewall where, after you added new administrator accounts and those administrators logged in, the administrative roles you assigned to those accounts had incomplete and therefore invalid configurations.
Fixed an issue where the firewall dropped sessions during SSL Inbound decryption because decryption errors caused TLS session resumption to fail.
Fixed an issue where the firewall failed to generate a Simple Certificate Enrollment Protocol (SCEP) certificate when you selected a SCEP profile with the Subject containing an email address attribute (DeviceCertificate ManagementSCEP).
Fixed an issue where the Panorama management server did not release a commit lock after a successful commit.
Fixed an issue where, when testing which policy rule applied to traffic between a specified destination and source, the PAN-OS XML API query did not display as much information as the corresponding CLI command (test security-policy-match).
Fixed an issue where, after you used a Panorama management server to push the Require Password Change on First Login setting to managed firewalls (DeviceSetupManagementMinimum Password Complexity), those firewalls did not prompt administrators to change their passwords during initial login.
Fixed an issue on the Panorama management server and PA-7000 Series firewalls where the risk meter in the ACC tab always indicated 0 risk.
Fixed an issue on the Panorama management server where the CommitCommit and Push operation did not push the running configuration to firewalls.
Fixed an issue where PA-7000 Series firewalls in an active/active HA configuration randomly dropped packets because High Speed Chassis Interconnect (HSCI) links intermittently flapped.
Fixed an issue where scheduled custom reports did not correctly display column headers.
Fixed an issue where a Panorama management server running PAN-OS 8.0 pushed configurations to firewalls running PAN-OS 7.1 instead of just validating the push operation after you selected to Validate Template Push (CommitCommit and Push).
Fixed an issue where Dedicated Log Collectors failed to connect to a Panorama management server when you specified an FQDN as the Panorama Server IP (PanoramaManaged Collectors<Log_Collector>General) due to DNS resolution failure that resulted from PAN-OS adding an extra line character to the end of the FQDN.
Fixed an issue where the firewall did not generate System logs to indicate registration or connection errors that prevented it from submitting files to the WildFire cloud.
Fixed an issue where the Panorama management server did not display firewall logs after you configured Panorama to access the Palo Alto Networks Update Server through a proxy server but did not specify login credentials for the proxy server (PanoramaSetupServices).
Fixed an issue where a GlobalProtect satellite sent the wrong certificate chain after you renewed the certificate authority (CA) certificates of GlobalProtect portals and gateways.