End-of-Life (EoL)
PAN-OS 8.0.8 Addressed Issues
PAN-OS® 8.0.8 addressed issues
Issue ID | Description |
---|---|
PAN-92105 | Fixed an issue where the Panorama Log Collectors
did not receive some firewall logs and took longer than expected
to receive all logs when a Collector Group had spaces in its name. |
PAN-89718 | Fixed an issue where PA-7000 Series firewalls
rebooted continuously because the brdagent process
stopped responding during bootup due to HSCI interface initialization. |
PAN-89697 | Fixed an issue on the Panorama™ virtual
appliance where the NFS mount failed during system bootup. |
PAN-89650 | Fixed an issue where the Panorama management
server did not push default Security policy rule settings ( Policies Security Default Rules |
PAN-89646 | Fixed an issue where firewalls rebooted
continuously because the routed process stopped responding
after the Panorama management server pushed invalid configurations
to the firewalls. With this fix, Panorama performs an additional
sanity check during push operations that causes the operations to
stop with errors instead of making routed unresponsive. |
PAN-89575 | Fixed an issue where the firewall intermittently
dropped traffic after failing to decrypt it due to proxy memory
depletion. |
PAN-89556 | Fixed an issue where, after an administrator
with the read-only superuser role changed his or her password and
then an administrator with the superuser role performed a partial
commit, neither administrator could authenticate to the firewall. |
PAN-89349 | Fixed an issue on firewalls in an active/active
high availability (HA) configuration where the primary firewall,
with a floating IP address bound to it, sent ARP probes containing
the MAC address of the secondary firewall instead of the primary.
Sending ARP probes with the incorrect MAC address caused the secondary
firewall to drop traffic. |
PAN-89176 | Fixed an issue where firewalls in an HA
configuration did not map IP addresses to the usernames of GlobalProtect™
end users because the User-ID™ manager ( idmgr ) on the
active firewall continuously reset after reaching its maximum capacity
for User-ID information (such as user mappings and group mappings). |
PAN-89169 | Fixed an issue on VM-Series firewalls in
an HA configuration where HA path monitoring failed and triggered
failover. |
PAN-88981 | Fixed an issue where the firewall failed
to generate reports based on URL Filtering logs due to a syntax
error when the logs contained single quotation mark characters ('). |
PAN-88953 | Fixed an issue where a Panorama management
server in an HA configuration became unresponsive after initiating
HA synchronization. |
PAN-88882 | Fixed an issue on the Panorama management
server where the web interface displayed a 502 badgateway error
and the configd process stopped responding after you
selected the more option for a dynamic address
group in a Security policy rule (Policies Security <rule_type> <rule> Source/Destination |
PAN-88809 | Fixed an issue where FQDN refresh operations
produced a Not Resolved error because
the DNS proxy engine incorrectly stopped converting ASCII encoded
characters at the second-last character instead of the last character. |
PAN-88671 | As an enhancement to PA-5200 Series firewalls,
you can now disable or enable (default) L4 checksum checking by
running the new set system setting layer4-checksum {disable | enable} CLI
command and then rebooting the firewall. Disabling the checking
enables the firewall to allow packets it would otherwise drop when
some wireless access points add a VSS-monitoring Ethernet trailer
(6 bytes) to HTTP request packets. |
PAN-88507 | Fixed an issue where firewall performance
degraded because ICMP ping packets associated with static route
monitoring caused a hardware buffer leak. |
PAN-88474 | Fixed an issue where session offloading
failed because offloaded packets related to Policy-Based Forwarding
(PBF) used the incorrect PBF return MAC address. |
PAN-88456 | Fixed an issue where firewalls did not refresh
FQDN objects during the initial boot-up phase of the bootstrapping
process. |
PAN-88213 | Fixed an issue where firewalls that had
ECMP and session offloading enabled sent offloaded traffic to the
incorrect next hop. |
PAN-87880 | Fixed an issue where root partition utilization
approached the maximum capacity because the firewall did not remove
WildFire® download logs that were due for removal. |
PAN-87481 | Fixed an issue where SNMP managers did not
display object identifiers (OIDs) for the Ethernet1/3, Ethernet1/4,
and Ethernet1/5 interfaces of M-500 appliances. |
PAN-87215 | Fixed an issue where a Panorama management
server in an HA configuration generated group mapping synchronization
errors because the passive HA peer did not verify whether the Enable reporting
and filtering on groups option was disabled (Panorama Setup Management |
PAN-87147 | As an enhancement for GlobalProtect gateways,
you can now add up to 100 DNS suffixes instead of 10 for resolving
the unqualified hostnames of GlobalProtect clients ( Network GlobalProtect Gateways <gateway> Agent Network Services |
PAN-87122 | Fixed an issue where running the clear session all filter source CLI
command eleven or more times simultaneously caused Bidirectional
Forwarding Detection (BFD) flapping. |
PAN-86882 | Fixed an issue where the firewall dataplane
slowed significantly and, in some cases, stopped responding if you
used nested wildcards (*) with "." or "/" as delimiters in the URLs
of a custom URL category ( Objects Custom Objects URL Category Allow List of a URL Filtering profile (Objects Security Profiles URL Filtering <URL-filtering-profile> Overrides |
PAN-86814 | Fixed an issue where the Panorama management
server displayed more policy rules than were applicable to the targeted Device when
you selected to Preview Rules . |
PAN-86676 | Fixed an issue on firewalls configured as
DHCP servers and deployed in an HA configuration where, after HA
failover, commits failed and the following error message displayed: Managementserver failed to send phase 1 to client dhcpd. |
PAN-86671 | Fixed an issue where firewalls that had
tunnel inspection enabled for GTP-U traffic did not generate END
entries in Tunnel Inspection logs after the GTP-U sessions cleared. |
PAN-86595 | Fixed an issue on M-Series appliances in Panorama
mode in an active/passive HA configuration where commit jobs were
stuck at 99% and all subsequent jobs entered a pending state. |
PAN-86115 | Fixed an issue where PA-7000 Series firewalls
intermittently displayed incorrect usernames for Traffic logs. |
PAN-86076 | As an enhancement to improve security for
GlobalProtect deployments, the GlobalProtect portal now includes
the following HTTP security headers in responses to end user login
requests: X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy. |
PAN-85650 | Fixed an issue on firewalls with multiple
virtual systems where SSL decryption failed when you installed the
Forward Trust Certificate in a specific virtual system instead of
in the Shared location. |
PAN-85515 | Fixed an issue on PA-7000 Series and PA-5200
Series firewalls with NetFlow monitoring configured where dataplanes
restarted because too many processes stopped responding. |
PAN-85456 | Fixed an issue where switching firewalls
to FIPS-CC mode set the Base DN to None and disabled
the Verify Server Certificate for SSL sessions option
for LDAP server profiles that you viewed or edited in the web interface (Device Server Profiles LDAP |
PAN-85103 | Fixed an issue where the Panorama management
server stopped communicating with firewalls when the incoming log
rate from firewalls exceeded the capacity of the Panorama buffers. |
PAN-85066 | Fixed an issue where, after the Panorama
management server pushed configurations to a firewall, the firewall
restarted because its cordd process stopped responding. |
PAN-84806 | Fixed an issue where firewalls in an active/active
HA configuration enforced user-based policies inconsistently because
port-to-username mappings did not synchronize between the primary
and secondary HA peers. |
PAN-84752 | Fixed an issue where the firewall rebooted
repeatedly because the User-ID process ( useridd ) stopped
responding after you committed a mobile device management (MDM)
configuration that failed to connect the firewall to the MDM (Network GlobalProtect MDM |
PAN-84703 | Fixed an issue where pushing a custom application
named http or smb ( Objects Applications |
PAN-84445 | Fixed an issue where the firewall intermittently
misidentified the App-ID for SSL applications. This issue occurred
when a server hosted multiple applications on the same port, and
the firewall identified traffic for an application using this port
on the server and then inaccurately recorded other applications
on this server-port combination as the previously identified application.
The fix requires running the set application use-appid-cache-ssl-sni no CLI
command to disable the SSL-based App-ID cache. |
PAN-84406 | Fixed an issue where, on a firewall configured
to collect username-to-group mappings from multiple LDAP servers
over SSL/TLS-secured connections ( Device Server Profiles LDAP useridd )
restarted several times during initialization. |
PAN-84219 | Fixed an issue on PA-7000 Series firewalls
where the logrcvr process had a memory leak. |
PAN-84000 | Fixed an issue on the Panorama management
server where, after you pushed device group settings without template
settings to managed firewalls, Panorama excluded template files
when you used the scp export device-state CLI
command to export configurations. |
PAN-83937 | Fixed an issue where the VM-500 firewall
stopped generating GTP logs when the session table reached 75% utilization. |
PAN-83909 | Fixed an issue where the WF-500 appliance
sent ICMP unreachable messages from the VM Interface to the Management
interface. |
PAN-83495 | Fixed an issue where SaaS Application Usage
reports did not Include logs from the Selected Zone that
you specified when configuring the report (Monitoring PDF Reports SaaS Application Usage |
PAN-83270 | Fixed an issue where firewalls generated
System logs with cipher decrypt-final failure messages
after switching from normal operational mode to FIPS-CC mode. |
PAN-83153 | Fixed an issue where a Panorama virtual
appliance in Legacy mode that was deployed in an HA configuration
did not receive logs forwarded from PA-7000 Series and PA-5200 Series
firewalls. |
PAN-83014 | Fixed an issue on the Panorama management
server where the Task Manager closed when you set the Show drop-down
to All jobs after a Commit Commit and Push |
PAN-82949 | Fixed an issue where commits failed because
the routed process did not delete DHCP-assigned IP addresses
that you removed from firewall interfaces. |
PAN-82413 | Fixed an issue where the Panorama web interface
displayed serial numbers instead of device names when you scheduled
an update to install on firewalls or Log Collectors, set the Type to Applications
and Threats , and set the Recurrence to Hourly or Every
30 mins (Panorama Device Deployment Dynamic Updates Schedules <schedule> |
PAN-82370 | Fixed an issue where Android endpoints could
not establish VPN tunnels to GlobalProtect gateways that you configured
to Enable X-Auth Support (Network GlobalProtect Gateways <gateway> Agent <agent> Tunnel Settings |
PAN-82321 | Fixed an issue where the firewall rebooted
because the User-ID process ( useridd ) stopped responding
after you performed clone or shutdown operations on VMware vCenter. |
PAN-82138 | Fixed an issue where, after you downgraded
from PAN-OS® 8.0 to PAN-OS 7.1, firewalls without direct internet
access did not display software images in the web interface ( Device Software |
PAN-82105 | Fixed an issue where attempting to commit
a configuration that was invalid because different interfaces had
overlapping subnetworks produced a commit error message that indicated
duplicate IP addresses instead of the actual error condition. |
PAN-82103 | Fixed an issue where VM-Series firewalls
on NSX failed to install content updates retrieved from the Panorama
management server. |
PAN-82091 | Fixed an issue where PA-220 firewalls did
not provide an SNMP object identifier (OID) for system disk usage. |
PAN-82048 | Fixed an issue on the Panorama management
server where configuring a Panorama Scheduled Config Export SSL/TLS
Service Profile for administrative access to the web
interface (Panorama Setup Management |
PAN-81689 | Fixed an issue where the test vpn ipsec-sa tunnel CLI
command failed when the tunnel <tunnel-name> :<proxy-id-name> Name and Proxy
ID values collectively exceeded 32 characters (Network IPSec Tunnels <tunnel> Proxy IDs Name and Proxy
ID values. |
PAN-81637 | Fixed an issue on VM-Series firewalls in
Data Plane Development Kit (DPDK) mode where the all_task , mprelay ,
and pan_dha processes stopped responding. |
PAN-81632 | Fixed an issue where the show predefined xpath /predefined/threats CLI
command did not displays threat identifiers. |
PAN-81416 | Fixed an issue where the Panorama management
server did not display logs from PA-5000 Series or PA-7000 Series
firewalls, did not display scheduled reports that included IP address
fields, and did not email those reports. |
PAN-81243 | Fixed an issue on PA-200, PA-220, and PA-800
Series firewalls where specifying a Life Time for
a master key (Device Master
Key and Diagnostics |
PAN-81102 | Fixed an issue where the tftp export stats-dump CLI
command failed to generate a Stats Dump file and displayed the following
error: Failed to redirect error to /var/log/pan/report_gen.log(Permission denied). |
PAN-81050 | Fixed an issue on M-Series appliances, PA-7000
Series firewalls, and PA-5000 Series firewalls where the disk-failed , disk-faulty ,
and pair-disappeared RAID events had only
a medium severity level in System logs. With this fix, these events have
a critical severity level. |
PAN-80908 | Fixed an issue where administrators with
the device administrator role did not have the role privileges required
to run the scp import software CLI command. |
PAN-80889 | Fixed an issue where a Panorama management
server deployed behind a NAT device could not manage firewalls running
PAN-OS 8.0. With this fix, you must run a new operational mode CLI
command on a Panorama management server that is behind a NAT device,
runs PAN-OS 8.0 or a later release, and manages firewalls running
PAN-OS 8.0 or a later release. The CLI command is set dlsrvr server ,
where <FQDN> <FQDN> |
PAN-79367 | Fixed an issue where endpoints could not
authenticate to a GlobalProtect portal through client certificate
authentication due to an incorrect certificate status when the portal
used a Certificate Profile that specified
Online Certificate Status Protocol (OCSP) to validate certificates (Network GlobalProtect Portals <portal> Authentication |
PAN-79113 | Fixed an issue where, when you used the PAN-OS
XML API to request updated port-to-username mappings from a multi-user
terminal server after end users logged out, and the request specified
an invalid IP address for the terminal server, the response had
an incomplete error message that did not indicate the invalid IP
address. |
PAN-78015 | Fixed an issue on a Panorama management
server in an HA configuration where, in rare cases, the virtual
machine (VM) auth key disappeared after you rebooted the active
HA peer. |
PAN-77648 | Fixed an issue where the show system state filter-pretty sw.dev.interface.config CLI
command did not display the MAC address (hwaddr )
or maximum transmission unit (mtu )
for aggregate Ethernet interfaces. |
PAN-77519 | As an enhancement to enable comparing SNMP
output with CLI output for the rate of interface connections established
per second (CPS), the show counter interface CLI
command displays the following new counters: TCP CPS, UDP CPS, and
other CPS (for all non-TCP and non-UDP connections). |
PAN-77116 | Fixed an issue where the firewall displayed
error messages such as the following after bootup even though bootup
succeeded: Error: sysd_construct_sync_importer(sysd_sync.c:328):sysd_sync_register() failed: (111) Unknown error code. |
PAN-75340 | Fixed an issue where the GlobalProtect portal
did not comply with HTTP Strict Transport Security (HSTS) when redirecting
users from HTTP to HTTPS upon accessing the portal login page. With
this fix, HSTS is enabled to secure the redirect to HTTPS, the portal
requires a valid server certificate, the endpoint browser displays
a warning to users with invalid client certificates who access the
login page using an IP address instead of an FQDN, and you cannot
use the same FQDN for both the login page and firewall Management
interface. |
PAN-75068 | Fixed an issue where VM-Series firewalls
on NSX prevented client-server TCP sessions from closing at the
correct time when you configured a reset Action in
Security policy rules (Policies Security <rule> Actions |
PAN-68878 | Fixed an issue where firewalls in an active/active
HA configuration sent packets out of order. |
PAN-64376 | Fixed an issue where you could not set the
QoS Egress Max to more than 16,000 Mbps for an aggregate Ethernet
interface ( Network QoS <interface> Physical Interface If you downgrade from a PAN-OS 8.0 release to PAN-OS
7.1.15 or an earlier release, you must reset the QoS Egress
Max to 16,000 Mbps or less to avoid commit failures. |
PAN-59996 | Fixed an issue where VM-Series firewalls
did not apply NAT translation to the ports in the via and contact
headers of Session Initiation Protocol (SIP) sessions after you
enabled Dynamic IP and Port (DIPP) NAT. |
PAN-59749 | Fixed an issue where the firewall intermittently
dropped VPN tunnel traffic between virtual systems. |
Recommended For You
Recommended Videos
Recommended videos not found.