Fixed an issue where the Panorama Log Collectors did not receive some firewall logs and took longer than expected to receive all logs when a Collector Group had spaces in its name.

Fixed an issue where PA-7000 Series firewalls rebooted continuously because the

brdagent

process stopped responding during bootup due to HSCI interface initialization.

Fixed an issue on the Panorama™ virtual appliance where the NFS mount failed during system bootup.

Fixed an issue where the Panorama management server did not push default Security policy rule settings (

Policies

Security

Default Rules

) to firewalls when the settings were inherited from a parent device group.

Fixed an issue where firewalls rebooted continuously because the

routed

process stopped responding after the Panorama management server pushed invalid configurations to the firewalls. With this fix, Panorama performs an additional sanity check during push operations that causes the operations to stop with errors instead of making routed unresponsive.

Fixed an issue where the firewall intermittently dropped traffic after failing to decrypt it due to proxy memory depletion.

Fixed an issue where, after an administrator with the read-only superuser role changed his or her password and then an administrator with the superuser role performed a partial commit, neither administrator could authenticate to the firewall.

Fixed an issue on firewalls in an active/active high availability (HA) configuration where the primary firewall, with a floating IP address bound to it, sent ARP probes containing the MAC address of the secondary firewall instead of the primary. Sending ARP probes with the incorrect MAC address caused the secondary firewall to drop traffic.

Fixed an issue where firewalls in an HA configuration did not map IP addresses to the usernames of GlobalProtect™ end users because the User-ID™ manager (

idmgr

) on the active firewall continuously reset after reaching its maximum capacity for User-ID information (such as user mappings and group mappings).

Fixed an issue on VM-Series firewalls in an HA configuration where HA path monitoring failed and triggered failover.

Fixed an issue where the firewall failed to generate reports based on URL Filtering logs due to a syntax error when the logs contained single quotation mark characters (').

Fixed an issue where a Panorama management server in an HA configuration became unresponsive after initiating HA synchronization.

Fixed an issue on the Panorama management server where the web interface displayed a

502 badgateway

error and the

configd

process stopped responding after you selected the

more

option for a dynamic address group in a Security policy rule (

Policies

Security

<rule_type>

<rule>

Source/Destination

).

Fixed an issue where FQDN refresh operations produced a

Not Resolved

error because the DNS proxy engine incorrectly stopped converting ASCII encoded characters at the second-last character instead of the last character.

As an enhancement to PA-5200 Series firewalls, you can now disable or enable (default) L4 checksum checking by running the new

set system setting layer4-checksum {disable | enable}

CLI command and then rebooting the firewall. Disabling the checking enables the firewall to allow packets it would otherwise drop when some wireless access points add a VSS-monitoring Ethernet trailer (6 bytes) to HTTP request packets.

Fixed an issue where firewall performance degraded because ICMP ping packets associated with static route monitoring caused a hardware buffer leak.

Fixed an issue where session offloading failed because offloaded packets related to Policy-Based Forwarding (PBF) used the incorrect PBF return MAC address.

Fixed an issue where firewalls did not refresh FQDN objects during the initial boot-up phase of the bootstrapping process.

Fixed an issue where firewalls that had ECMP and session offloading enabled sent offloaded traffic to the incorrect next hop.

Fixed an issue where root partition utilization approached the maximum capacity because the firewall did not remove WildFire® download logs that were due for removal.

Fixed an issue where SNMP managers did not display object identifiers (OIDs) for the Ethernet1/3, Ethernet1/4, and Ethernet1/5 interfaces of M-500 appliances.

Fixed an issue where a Panorama management server in an HA configuration generated group mapping synchronization errors because the passive HA peer did not verify whether the

Enable reporting and filtering on groups

option was disabled (

Panorama

Setup

Management

: Panorama Settings).

As an enhancement for GlobalProtect gateways, you can now add up to 100 DNS suffixes instead of 10 for resolving the unqualified hostnames of GlobalProtect clients (

Network

GlobalProtect

Gateways

<gateway>

Agent

Network Services

).

Fixed an issue where running the

clear session all filter source

CLI command eleven or more times simultaneously caused Bidirectional Forwarding Detection (BFD) flapping.

Fixed an issue where the firewall dataplane slowed significantly and, in some cases, stopped responding if you used nested wildcards (*) with "." or "/" as delimiters in the URLs of a custom URL category (

Objects

Custom Objects

URL Category

) or in the

Allow List

of a URL Filtering profile (

Objects

Security Profiles

URL Filtering

<URL-filtering-profile>

Overrides

). With this fix, the firewall does not allow you to use nested wildcards in such cases. For details, see how Nested Wildcard in URLs May Severely Affect Performance.

Fixed an issue where the Panorama management server displayed more policy rules than were applicable to the targeted

Device

when you selected to

Preview Rules

.

Fixed an issue on firewalls configured as DHCP servers and deployed in an HA configuration where, after HA failover, commits failed and the following error message displayed:

Managementserver failed to send phase 1 to client dhcpd.

Fixed an issue where firewalls that had tunnel inspection enabled for GTP-U traffic did not generate END entries in Tunnel Inspection logs after the GTP-U sessions cleared.

As an enhancement to improve security for GlobalProtect deployments, the GlobalProtect portal now includes the following HTTP security headers in responses to end user login requests: X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy.

Fixed an issue on firewalls with multiple virtual systems where SSL decryption failed when you installed the Forward Trust Certificate in a specific virtual system instead of in the Shared location.

Fixed an issue on PA-7000 Series and PA-5200 Series firewalls with NetFlow monitoring configured where dataplanes restarted because too many processes stopped responding.

Fixed an issue where switching firewalls to FIPS-CC mode set the

Base DN

to

None

and disabled the

Verify Server Certificate for SSL sessions

option for LDAP server profiles that you viewed or edited in the web interface (

Device

Server Profiles

LDAP

).

Fixed an issue where the Panorama management server stopped communicating with firewalls when the incoming log rate from firewalls exceeded the capacity of the Panorama buffers.

Fixed an issue where, after the Panorama management server pushed configurations to a firewall, the firewall restarted because its

cordd

process stopped responding.

Fixed an issue where firewalls in an active/active HA configuration enforced user-based policies inconsistently because port-to-username mappings did not synchronize between the primary and secondary HA peers.

Fixed an issue where the firewall rebooted repeatedly because the User-ID process (

useridd

) stopped responding after you committed a mobile device management (MDM) configuration that failed to connect the firewall to the MDM (

Network

GlobalProtect

MDM

).

Fixed an issue where pushing a custom application named http or smb (

Objects

Applications

) from the Panorama management server to firewalls interfered with antivirus detection on the firewalls.

Fixed an issue where the firewall intermittently misidentified the App-ID for SSL applications. This issue occurred when a server hosted multiple applications on the same port, and the firewall identified traffic for an application using this port on the server and then inaccurately recorded other applications on this server-port combination as the previously identified application. The fix requires running the

set application use-appid-cache-ssl-sni no

CLI command to disable the SSL-based App-ID cache.

Fixed an issue where, on a firewall configured to collect username-to-group mappings from multiple LDAP servers over SSL/TLS-secured connections (

Device

Server Profiles

LDAP

), the firewall rebooted because the User-ID process (

useridd

) restarted several times during initialization.

Fixed an issue on PA-7000 Series firewalls where the

logrcvr

process had a memory leak.

Fixed an issue on the Panorama management server where, after you pushed device group settings without template settings to managed firewalls, Panorama excluded template files when you used the

scp export device-state

CLI command to export configurations.

Fixed an issue where the VM-500 firewall stopped generating GTP logs when the session table reached 75% utilization.

Fixed an issue where the WF-500 appliance sent ICMP unreachable messages from the VM Interface to the Management interface.

Fixed an issue where SaaS Application Usage reports did not

Include logs from

the

Selected Zone

that you specified when configuring the report (

Monitoring

PDF Reports

SaaS Application Usage

).

Fixed an issue where firewalls generated System logs with

cipher decrypt-final failure

messages after switching from normal operational mode to FIPS-CC mode.

Fixed an issue where a Panorama virtual appliance in Legacy mode that was deployed in an HA configuration did not receive logs forwarded from PA-7000 Series and PA-5200 Series firewalls.

Fixed an issue on the Panorama management server where the Task Manager closed when you set the

Show

drop-down to

All jobs

after a

Commit

Commit and Push

operation generated errors and warnings.

Fixed an issue where commits failed because the

routed

process did not delete DHCP-assigned IP addresses that you removed from firewall interfaces.

Fixed an issue where the Panorama web interface displayed serial numbers instead of device names when you scheduled an update to install on firewalls or Log Collectors, set the

Type

to

Applications and Threats

, and set the

Recurrence

to

Hourly

or

Every 30 mins

(

Panorama

Device Deployment

Dynamic Updates

Schedules

<schedule>

).

Fixed an issue where Android endpoints could not establish VPN tunnels to GlobalProtect gateways that you configured to

Enable X-Auth Support

(

Network

GlobalProtect

Gateways

<gateway>

Agent

<agent>

Tunnel Settings

). With this fix, GlobalProtect gateways use SHA1 first in the order of HMAC algorithms used for authenticating endpoints that use X-Auth.

Fixed an issue where the firewall rebooted because the User-ID process (

useridd

) stopped responding after you performed clone or shutdown operations on VMware vCenter.

Fixed an issue where, after you downgraded from PAN-OS® 8.0 to PAN-OS 7.1, firewalls without direct internet access did not display software images in the web interface (

Device

Software

) or CLI regardless of whether you downloaded the images from the Palo Alto Networks® Update Server (at an earlier time when the firewalls had internet access) or manually uploaded the images from another system.

Fixed an issue where attempting to commit a configuration that was invalid because different interfaces had overlapping subnetworks produced a commit error message that indicated duplicate IP addresses instead of the actual error condition.

Fixed an issue where VM-Series firewalls on NSX failed to install content updates retrieved from the Panorama management server.

Fixed an issue where PA-220 firewalls did not provide an SNMP object identifier (OID) for system disk usage.

Fixed an issue on the Panorama management server where configuring a

Panorama

Scheduled Config Export

based on FTP but with some fields unpopulated caused Panorama to use its default local host certificate instead of the

SSL/TLS Service Profile

for administrative access to the web interface (

Panorama

Setup

Management

).

Fixed an issue where the

test vpn ipsec-sa tunnel

<tunnel-name>

:

<proxy-id-name>

CLI command failed when the tunnel

Name

and

Proxy ID

values collectively exceeded 32 characters (

Network

IPSec Tunnels

<tunnel>

Proxy IDs

). With this fix, the firewall allows 64 characters for the combined

Name

and

Proxy ID

values.

Fixed an issue on VM-Series firewalls in Data Plane Development Kit (DPDK) mode where the

all_task

,

mprelay

, and

pan_dha

processes stopped responding.

Fixed an issue where the

show predefined xpath /predefined/threats

CLI command did not displays threat identifiers.

Fixed an issue where the Panorama management server did not display logs from PA-5000 Series or PA-7000 Series firewalls, did not display scheduled reports that included IP address fields, and did not email those reports.

Fixed an issue on PA-200, PA-220, and PA-800 Series firewalls where specifying a

Life Time

for a master key (

Device

Master Key and Diagnostics

) caused the key expiration and reminder dates to have incorrect values.

Fixed an issue where the

tftp export stats-dump

CLI command failed to generate a Stats Dump file and displayed the following error:

Failed to redirect error to /var/log/pan/report_gen.log(Permission denied).

Fixed an issue on M-Series appliances, PA-7000 Series firewalls, and PA-5000 Series firewalls where the

disk-failed

,

disk-faulty

, and

pair-disappeared

RAID events had only a medium severity level in System logs. With this fix, these events have a critical severity level.

Fixed an issue where administrators with the device administrator role did not have the role privileges required to run the

scp import software

CLI command.

Fixed an issue where a Panorama management server deployed behind a NAT device could not manage firewalls running PAN-OS 8.0. With this fix, you must run a new operational mode CLI command on a Panorama management server that is behind a NAT device, runs PAN-OS 8.0 or a later release, and manages firewalls running PAN-OS 8.0 or a later release. The CLI command is

set dlsrvr server

<FQDN>

, where

<FQDN>

is the FQDN of the Panorama Management interface.

Fixed an issue where endpoints could not authenticate to a GlobalProtect portal through client certificate authentication due to an incorrect certificate status when the portal used a

Certificate Profile

that specified Online Certificate Status Protocol (OCSP) to validate certificates (

Network

GlobalProtect

Portals

<portal>

Authentication

).

Fixed an issue on a Panorama management server in an HA configuration where, in rare cases, the virtual machine (VM) auth key disappeared after you rebooted the active HA peer.

Fixed an issue where the

show system state filter-pretty sw.dev.interface.config

CLI command did not display the MAC address (

hwaddr

) or maximum transmission unit (

mtu

) for aggregate Ethernet interfaces.

As an enhancement to enable comparing SNMP output with CLI output for the rate of interface connections established per second (CPS), the

show counter interface

CLI command displays the following new counters: TCP CPS, UDP CPS, and other CPS (for all non-TCP and non-UDP connections).

Fixed an issue where the firewall displayed error messages such as the following after bootup even though bootup succeeded:

Error: sysd_construct_sync_importer(sysd_sync.c:328):sysd_sync_register() failed: (111) Unknown error code.

Fixed an issue where the GlobalProtect portal did not comply with HTTP Strict Transport Security (HSTS) when redirecting users from HTTP to HTTPS upon accessing the portal login page. With this fix, HSTS is enabled to secure the redirect to HTTPS, the portal requires a valid server certificate, the endpoint browser displays a warning to users with invalid client certificates who access the login page using an IP address instead of an FQDN, and you cannot use the same FQDN for both the login page and firewall Management interface.

Fixed an issue where VM-Series firewalls on NSX prevented client-server TCP sessions from closing at the correct time when you configured a reset

Action

in Security policy rules (

Policies

Security

<rule>

Actions

).

Fixed an issue where firewalls in an active/active HA configuration sent packets out of order.

Fixed an issue where you could not set the QoS Egress Max to more than 16,000 Mbps for an aggregate Ethernet interface (

Network

QoS

<interface>

Physical Interface

). With this fix, you can set the QoS Egress Max to a maximum of 60,000 Mbps.

Fixed an issue where VM-Series firewalls did not apply NAT translation to the ports in the via and contact headers of Session Initiation Protocol (SIP) sessions after you enabled Dynamic IP and Port (DIPP) NAT.