End-of-Life (EoL)
PAN-OS 8.0.7 Addressed Issues
PAN-OS® 8.0.7 addressed issues
Issue ID | Description |
---|---|
WF500-4510 | Fixed an issue where WildFire® intermittently
returned incorrect verdicts for Microsoft Office documents opened
in Protected View mode. |
WF500-4388 | Fixed an issue where a cluster of WF-500
appliances that did not have a WildFire public cloud explicitly
defined in their configurations randomly disabled public cloud communication,
causing cluster commits to fail. With this fix, WF-500 appliances
in a cluster always connect to wildfire.paloaltonetworks.com when
you don't specify a WildFire public cloud in their configurations. |
WF500-4366 | Fixed an issue on a WildFire appliance cluster
in a high availability (HA) configuration where the VM interface
on the passive HA peer allowed inbound SSH connections. |
PAN-89936 | A security-related fix was made to prevent
the decryption of captured sessions through the ROBOT attack (CVE-2017-17841). |
PAN-89568 | Fixed an issue where VM-Series and PA-5200
Series firewalls prevented the setup of GTPv2-C tunnels when createsession response
messages had GTP cause value 18, which the firewall associated with
stateful failure. With this fix, the firewalls recognize messages
with that cause value as normal. |
PAN-89078 | Fixed an issue where PA-5220 and PA-5250
firewalls did not support the correct number of policy rules for
Security, Decryption, Application Override, QoS, and Tunnel Inspection
policy. |
PAN-88863 | Fixed an issue where PA-5200 Series firewalls
intermittently dropped packets in Generic Routing Encapsulation
(GRE) tunnels that used Point-to-Point Tunneling Protocol (PPTP). |
PAN-88846 | Fixed an issue where PA-7000 Series, PA-5200
Series, and PA-5000 Series firewalls dropped packets in VPN tunnels
when processing the tunnels and traffic on separate dataplanes within
the same firewall. |
PAN-88775 | Fixed an issue where the firewall reset
memory usage every day because the logrcvr process
had a memory leak. |
PAN-88286 | Fixed an issue on a Panorama management
server where the web interface became inaccessible because PAN-OS
did not delete temporary files and therefore the root partition
ran out of free storage space. |
PAN-87779 | Fixed an issue on VM-Series firewall on
Azure where a virtual network interface card (vNIC) driver introduced
a TCP packet out-of-order condition that reduced throughput. |
PAN-87363 | Fixed an issue where selecting to Generate
Tech Support File (Device Support |
PAN-87277 | Fixed an issue on the Panorama management
server where the following PAN-OS XML API call caused the configd process
to stop responding after you changed the Panorama configuration but
did not yet commit the change:
|
PAN-87160 | Fixed an issue on PA-5200 Series firewalls
where the dataplanes did not have enough memory to support large
configurations. |
PAN-87145 | Fixed an issue where importing a firewall
configuration into a Panorama management server deleted certain
Panorama shared objects. |
PAN-86903 | In rare cases, fixed an issue where PA-800
Series firewalls shut themselves down due to a false overcurrent
measurement. |
PAN-86859 | Fixed an issue where commits and other operations
failed because the mprelay process stopped responding
after you committed an interface configuration change after loading
a configuration, reverting to the running configuration, or restarting
the management server. |
PAN-86775 | Fixed an issue where firewalls in an active/active
HA configuration dropped Q-in-Q traffic (traffic with nested VLAN
tags) when traversing the HA3 interface. |
PAN-86576 | Fixed an issue where end users encountered
application failures because child TCP sessions closed prematurely
after their parent UDP sessions closed. |
PAN-86232 | Fixed an issue where the Panorama management
server displayed No HIP Report Found when
you clicked the log details icon (magnifying glass) for host information
profile (HIP) logs. |
PAN-86226 | Fixed an issue on PA-5000 Series firewalls
running PAN-OS 8.0.5 or a later release where insufficient proxy
memory caused decryption failures and prevented users from accessing
the GlobalProtect portal or gateway. |
PAN-86178 | Fixed an issue where the firewall or Panorama
management server did not display an error message when it ran out
of free disk space, so commits failed without explanation. With
this fix, the firewall or Panorama aborts commits before starting
them when it has insufficient free disk space. |
PAN-85744 | Fixed an issue where the User-ID process ( useridd )
produced an error message (Servererror : Client useridd not ready )
and stopped responding during a commit operation. |
PAN-85640 | Fixed an issue where the firewall could
not refresh external dynamic lists (EDLs) through a proxy server. |
PAN-85497 | Fixed an issue where, after the Panorama
management server successfully downloaded a scheduled content update
but firewalls or Log Collectors could not automatically retrieve
and install the update at the scheduled time (because of temporary
connection issues for example), Panorama did not display an Action
option to Install the update manually (Panorama Device Deployment Dynamic Updates |
PAN-85394 | Fixed an issue on the Panorama management
server where you could not use the web interface to install a GlobalProtect
Cloud Services plugin after modifying the plugin filename. |
PAN-85348 | Fixed an issue where PAN-OS indicated the
master key was invalid when you configured it to use an ampersand
(&) character. With this fix, the ampersand is an allowed character
in the master key. |
PAN-85299 | Fixed an issue on firewalls in an active/passive
HA configuration with link or path monitoring enabled where a failover
resulting from a link or path failure intermittently caused PAN-OS
to delete host, connected, static, and dynamic routes (both OSPF
and BGP) from the forwarding information base (FIB) on the firewall
peer that became active. The failover also caused PAN-OS to intermittently
send unnecessary BGP withdrawal messages to BGP peers. With this
fix, you can prevent these issues by using the new set system setting delay-interface-process interface CLI
command (default is 0ms; range is 0 to 5000ms). This command specifies
a delay period, after a link fails and before PAN-OS brings down
its associated interface, to give enough time after failover for
the newly active firewall HA peer to become fully active and to
synchronize the correct route information with its peer. In most
deployments, the best practice is to set the delay to a period that
is greater than the sum of the <interface-name> delay<0-5000> Promotion Hold Time (default
2000ms) and Monitor Fail Hold Up Time (default 0ms). |
PAN-85238 | A security-related fix was made to prevent
a cross-site scripting (XSS) attack through the PAN-OS Captive Portal (CVE-2017-16878). |
PAN-85047 | Fixed an issue where the firewall failed
to retrieve a domain list from an external dynamic list (EDL) server
over a TLSv1.0 connection. |
PAN-85035 | Fixed an issue where end users could not
access applications and services due to DNS resolution failures
that occurred because the firewall associated the destination port
with Bidirectional Forwarding Detection (BFD) packets instead of
DNS packets. |
PAN-84950 | Fixed an issue where the Panorama management
server did not push changes to the Content Update Server value
of WildFire clusters after a commit on the WF-500 appliances in
that cluster (Panorama Managed
WildFire Clusters General |
PAN-84903 | Fixed an issue where selecting Check Now in Device Dynamic Updates |
PAN-84856 | Fixed an issue where the firewall misidentified
Signiant-based traffic as HTTP-proxy traffic and therefore did not
apply policy correctly to that traffic. |
PAN-84808 | Fixed an issue where high packet-descriptor
utilization caused the firewall to drop traffic over an IPSec tunnel
that used the Authentication Header protocol for key exchange. |
PAN-84781 | Fixed an issue on firewalls with Decryption
policy enabled where intermittent packet loss and decryption failures
occurred because the firewall depleted its software packet buffer
pool. |
PAN-84617 | Fixed an issue on the Panorama management
server where the Task Manager displayed Commit , Download ,
and Software Install tasks as stuck
in a pending state after the configd process restarted.This
issue is not fixed for the Commit All task, which remains stuck
at 0% completion after configd restarts. |
PAN-84546 | Fixed an issue where the Panorama management
server failed to download scheduled content or Antivirus updates
that overlapped with other scheduled downloads. |
PAN-84186 | Fixed an issue where, after the Panorama
management server rebooted, it deleted known hosts for SSH sessions
and therefore disrupted scheduled configuration exports ( Panorama Scheduled Config Export |
PAN-84165 | Fixed an issue where, after a NetApp NFS
server was temporarily unreachable, NetApp NFS clients failed to
reconnect to it because the firewall blocked the challenge ACK signal
required for RFC-5961 sessions. With this fix, you must run the set deviceconfig setting tcp allow-challenge-ack yes CLI
command in configuration mode to enable NFS clients to reconnect
with the NFS server in cases where new connections are required. |
PAN-84082 | Fixed an issue on the Panorama management
server where the management server restarted because the configd process
stopped responding due to memory corruption. |
PAN-84018 | Fixed an issue where Data Filtering logs
did not display files that had spaces in their filenames. |
PAN-83689 | Fixed an issue on PA-5200 Series firewalls
where missing LACP packets caused aggregate Ethernet groups to intermittently
drop interfaces. |
PAN-83678 | Fixed an issue on M-Series appliances where,
after you upgraded the Panorama software or added logging disks
of varying sizes, the appliances stopped collecting logs from firewalls
because uneven log distribution across the logging disks caused
the used storage on one disk to approach the maximum capacity. |
PAN-83394 | Fixed an issue where a firewall on which
you enabled GTP inspection allowed malformed GTP packets with invalid
IMSI or MSISDN numbers to pass inspection. |
PAN-82827 | Fixed an issue where, after you enabled
Captive Portal, the firewall stopped logging traffic for applications
it identified as incomplete or undecided for unknown users (users
that User-ID has not mapped to IP addresses). |
PAN-82825 | Fixed an issue where a commit failed after
you increased the number of external dynamic list (EDL) objects. |
PAN-82760 | Fixed an issue on Panorama Log Collectors
where the show log-collector-es-indices CLI command
displayed errors. Also fixed an issue where Collector Groups with
log redundancy enabled started deleting the oldest logs when the used
storage on Log Collectors approached half the maximum capacity instead
of when used storage approached the full maximum capacity. |
PAN-82731 | Fixed an issue on the Panorama management
server where System logs did not record disconnections with managed
firewalls. |
PAN-82497 | Fixed an issue where the firewall intermittently
dropped username-to-group mappings, which disrupted how it applied group-based
policies. |
PAN-82332 | Fixed an issue where the firewall exported
a configuration file of 0 bytes when you used the firewall web interface
to export a configuration file ( Setup Operations |
PAN-82251 | Fixed an issue where the VM-Series firewall
on AWS GovCloud did not support bootstrapping. |
PAN-82181 | Fixed an issue where the firewall blocked
access to HTTPS websites that had DigiCert-signed certificates after
you configured SSL Forward Proxy decryption, configured the firewall
to Block sessions with unknown certificate status (Objects Decryption Profile SSL Decryption SSL Forward Proxy |
PAN-82125 | Fixed an issue where the firewall management
plane or control plane continuously rebooted after an upgrade to
PAN-OS 8.0, and displayed the following error message: rcu_scheddetected stalls on CPUs/tasks. |
PAN-82117 | Fixed an issue where PA-5000 Series firewalls
in an active/active HA configuration intermittently dropped packets
due to a race condition that occurred when the session owner and
session setup were on different HA peers. |
PAN-82070 | Fixed an issue where PA-5020 firewalls supported
a maximum bandwidth ( Egress Max ) of only
1Gbps for classes of service (Network Network Profiles QoS |
PAN-81885 | Fixed an issue where the firewall did not
display a warning when you deleted a shared object that Security
policy rules used. With this fix, the firewall displays a message
indicating that policy rules use the shared object you are trying
to delete and prevents you from deleting that object until you remove
it from policy rules. |
PAN-81710 | Fixed an issue where the Panorama management
server failed to perform scheduled exports of configuration files
to an FTP server ( Panorama Scheduled Config Export |
PAN-81586 | A security-related fix was made to prevent
a cross-site scripting (XSS) vulnerability in GlobalProtect (CVE-2017-15941). |
PAN-81573 | Fixed an issue where a firewall configured
as a DNS proxy ( Network DNS Proxy Type set
to FQDN and a name that ended with a period (Objects Addresses |
PAN-81539 | Fixed an issue where commits failed because
the logrcvr process restarted continuously on firewalls
that had NetFlow exports configured. |
PAN-81171 | Fixed an issue where firewalls that performed
SSL decryption slowed the download of large files over HTTPS on
macOS endpoints. |
PAN-80645 | Fixed an issue where the VM-Series firewall
lost OSPF adjacency with a peer device because the firewall dropped
large OSPF link state packets. |
PAN-80631 | Fixed an issue where the Panorama management
server failed to push configuration changes filtered by administrator
to managed firewalls after you configured Panorama to not Share
Unused Address and Service Objects with Devices . |
PAN-80542 | Fixed an issue where administrators whose
roles have the Privacy privilege disabled (Device Admin Roles Web UI |
PAN-80423 | Fixed an issue where VM-Series firewalls
in an active/passive HA configuration added a delay in traffic once
every minute while sending Gratuitous Address Resolution Protocol
(GARP) packets after you set the Link State to down on a
Layer 3 interface (Network Interfaces Ethernet <interface> Advanced |
PAN-80395 | Fixed an issue where the User-ID agent mapped
IP addresses to incorrect (obscured) usernames when the firewall
authenticated users through a SAML identity provider (IdP) that
excluded the username attribute from SAML assertions and used a
persistent name-identifier policy ( NameIDPolicy ). With
this fix, the firewall no longer mandates a transient NameIDPolicy
for SAML assertions; the NameIDPolicy is entirely at the discretion
of the IdP.An IdP that excludes the username attribute
and has a transient NameIDPolicy still sends obscured usernames
to the firewall. |
PAN-80272 | Fixed an issue where Data Filtering logs
showed incorrect file names for file uploads and downloads. |
PAN-80263 | Fixed an issue where numerous simultaneous
LDAP connections (in the order of tens or more) caused the connections
between firewalls and User-ID agents to become stuck in the connecting
state. |
PAN-79753 | Fixed an issue where the Panorama management
server restarted after you ran the replace device old CLI
command to replace the serial number of an old managed firewall
with that of a new managed firewall.<old_SN#> new <new_SN#> |
PAN-79671 | Fixed an issue where firewalls ran out of
disk space because they did not purge logs quickly enough. |
PAN-79309 | Fixed an issue where the firewall applied
case sensitivity when matching domain names when you selected to Use
domain to determine authentication profile in an authentication sequence
(Device Authentication
Sequence |
PAN-79302 | Fixed an issue where committing configuration
changes took longer than expected when you configured Security policy
rules with combinations of applications and service ports. |
PAN-79247 | Fixed an issue where the firewall did not
apply your changes in HIP objects and profiles to Security policy
rules and HIP Match logs unless GlobalProtect clients reconnected
to the GlobalProtect gateway. |
PAN-79167 | Fixed an issue on the Panorama management
server where the members count became zero for all existing shared
address groups after you imported a firewall configuration. |
PAN-79067 | Fixed an issue where the firewall treated
an address object as a region object when the address object had
the same name as a deleted region object. |
PAN-78716 | Fixed an issue on the Panorama management
server and firewall where, after you added new administrator accounts
and those administrators logged in, the administrative roles you
assigned to those accounts had incomplete and therefore invalid
configurations. |
PAN-78082 | Fixed an issue where the firewall dropped
sessions during SSL Inbound decryption because decryption errors
caused TLS session resumption to fail. |
PAN-77800 | Fixed an issue where the firewall failed
to generate a Simple Certificate Enrollment Protocol (SCEP) certificate
when you selected a SCEP profile with the Subject containing
an email address attribute (Device Certificate Management SCEP |
PAN-77779 | Fixed an issue where the Panorama management
server did not release a commit lock after a successful commit. |
PAN-77673 | Fixed an issue where, when testing which
policy rule applied to traffic between a specified destination and
source, the PAN-OS XML API query did not display as much information
as the corresponding CLI command ( test security-policy-match ). |
PAN-77526 | Fixed an issue where, after you used a Panorama
management server to push the Require Password Change
on First Login setting to managed firewalls (Device Setup Management Minimum Password Complexity |
PAN-77241 | Fixed an issue on the Panorama management
server and PA-7000 Series firewalls where the risk meter in the ACC tab
always indicated 0 risk. |
PAN-77128 | Fixed an issue on the Panorama management
server where the Commit Commit
and Push |
PAN-77019 | Fixed an issue where PA-7000 Series firewalls
in an active/active HA configuration randomly dropped packets because
High Speed Chassis Interconnect (HSCI) links intermittently flapped. |
PAN-76404 | Fixed an issue where scheduled custom reports
did not correctly display column headers. |
PAN-76349 | Fixed an issue where a Panorama management
server running PAN-OS 8.0 pushed configurations to firewalls running
PAN-OS 7.1 instead of just validating the push operation after you
selected to Validate Template Push (Commit Commit and Push |
PAN-76220 | Fixed an issue where Dedicated Log Collectors
failed to connect to a Panorama management server when you specified
an FQDN as the Panorama Server IP (Panorama Managed Collectors <Log_Collector> General |
PAN-75741 | Fixed an issue where the firewall did not
generate System logs to indicate registration or connection errors
that prevented it from submitting files to the WildFire cloud. |
PAN-60244 | Fixed an issue where the Panorama management
server did not display firewall logs after you configured Panorama
to access the Palo Alto Networks Update Server through a proxy server
but did not specify login credentials for the proxy server ( Panorama Setup Services |
PAN-58581 | Fixed an issue where a GlobalProtect satellite
sent the wrong certificate chain after you renewed the certificate
authority (CA) certificates of GlobalProtect portals and gateways. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.