End-of-Life (EoL)
PAN-OS 8.0.9 Addressed Issues
PAN-OS® 8.0.9 addressed issues
Issue ID | Description |
---|---|
WF500-4599 | Fixed an issue on WF-500 appliance clusters
where attempts to submit samples for analysis through the WildFire
XML API failed with a 499 or 502 error in the HTTP response when
the local worker was fully loaded. |
WF500-4535 | Fixed an issue where the WF-500 appliance could
not forward logs over TCP or SSL to a syslog server. |
WF500-4473 | Fixed an issue where the root partition on
the WF-500 appliance reached its maximum storage capacity because
the following log files had no size limit and grew continuously:
appweb_access.log, trap-access.log, wpc_build_detail.log, rsyncd.log,
cluster-mgr.log, and cluster-script.log. With this fix, the appweb_access.log,
trap-access.log, and wpc_build_detail.log logs have a limit of 10MB
and the WF-500 appliance maintains one rotating backup file for
each of these logs to store old data when a log exceeds the limit.
Also with this fix, the rsyncd.log, cluster-mgr.log, and cluster-script.log
logs have a limit of 5MB and the WF-500 appliance maintains eight
rotating backup files for each of these logs. |
WF500-4472 | Fixed an issue where the WF-500 appliance restarted
because the virtual memory limit was too small for the management
server ( mgmtsrvr ) process. With this fix, mgmtsrvr
has a higher virtual memory limit. |
WF500-4190 | Fixed an issue on WF-500 appliances where
the show cluster all-peers CLI command displayed siggen-db:Ready (signature
generation database ready) for worker nodes in a WildFire cluster
even though worker nodes don't generate signatures. With this fix,
the command displays siggen-db:Stopped for
worker nodes. |
PAN-94845 | Fixed an issue where App-ID did not recognize
GPRS Tunneling Protocol User Plane (GTP-U) in GTP messages on port
2152 when only single-direction message packets arrived (Traffic
logs indicated application insufficient-data ). |
PAN-94386 | Fixed an issue where the firewall dropped
packet data protocol (PDP) context update and delete messages that
had a tunnel endpoint identifier (TEID) of zero in GPRS Tunneling
Protocol (GTP) traffic, and the traffic failed when the dropped
messages were valid. |
PAN-94170 | Fixed an issue where GPRS Tunneling Protocol
(GTP) traffic failed because the firewall dropped GTP-U echo request
packets. |
PAN-93106 | Fixed an issue where the Google Chrome browser
displayed certificate warnings for self-signed ECDSA certificates
that you generated on the firewall. |
PAN-92916 | Fixed an issue where firewalls configured
for User-ID redistribution failed to redistribute IP address-to-username
mappings due to a memory leak. |
PAN-92604 | Fixed an issue where a Panorama Collector
Group did not forward logs to some external servers after you configured
multiple server profiles ( Panorama Collector Groups <Collector_Group> Collector Log Forwarding |
PAN-92564 | Fixed an issue where a small percentage
of writable third-party SFP transceivers (not purchased from Palo
Alto Networks®) stopped working or experienced other issues after
you upgraded the firewall to which the SFPs are connected to PAN-OS
8.0.8 or an earlier 8.0 release. With this fix, you must not reboot
the firewall after you download and install the PAN-OS 8.0 base
image until after you download and install the PAN-OS 8.0.9 release.
For additional details, upgrade considerations, and instructions
for upgrading your firewalls, refer to the PAN-OS 8.0 upgrade information. |
PAN-92560 | Fixed an issue where SSL Forward Proxy decryption
did not work after you excluded every predefined Hostname from decryption (Device Certificate Management SSL Decryption Exclusion |
PAN-92268 | Fixed an issue on PA-7000 Series and PA-5200
Series firewalls where one or more dataplanes did not pass traffic
when you ran several operational commands (from any firewall user
interface or from the Panorama management server) while committing
changes to device or network settings or while installing a content
update. |
PAN-92254 | Fixed an issue on PA-7000 Series firewalls
with 20GXM Magnum NPC cards where commits failed when the firewall
configuration was large. With this fix, the 20GXM Magnum NPC cards
have a larger internal configuration memory allocator and CTD memory
buffer. |
PAN-92170 | Fixed an issue on VM-500 and VM-700 firewalls
where you could not configure connections to more than 400 Terminal
Services (TS) agents even though those firewall models were designed
to support up to 1,000 TS agent connections. |
PAN-91776 | Fixed an issue where end users could not authenticate
to GlobalProtect when you specified a User Domain with Microsoft-supported
symbols such as the dollar symbol ($) in the authentication profile (Device Authentication Profile |
PAN-91774 | Fixed an issue on Panorama management servers
in an HA configuration where the primary peer did not synchronize
template changes to the secondary peer. |
PAN-91689 | Fixed an issue where the Panorama management
server removed address objects and, in the Network tab
settings and NAT policy rules, used the associated IP address values
without reference to the address objects before pushing configurations
to firewalls. |
PAN-91564 | A security-related fix was made to prevent
a local privilege escalation vulnerability that allowed administrators
to access the password hashes of local users (CVE-2018-9334). |
PAN-91559 | Fixed an issue where PA-5200 Series firewalls
caused slow traffic over IPSec VPN tunnels because the firewalls
reordered TCP segments during IPSec encryption. |
PAN-91452 | Fixed an issue where end users could not access
applications through GlobalProtect Clientless VPN when the HTTP
responses had both Transfer-Encoding and Content-Length headers. |
PAN-91113 | Fixed an issue where the mprelay process
stopped responding when processing IPv6 neighbor discovery updates. |
PAN-90970 | Fixed an issue on the Panorama management server
where a policy rule dialog automatically closed within a couple
of seconds after you opened it to create or edit a rule. |
PAN-90956 | Fixed an issue where the firewall did not forward
Correlation logs to syslog servers over UDP. |
PAN-90899 | Fixed an issue on Panorama management servers
in an HA configuration where a firewall did not resume forwarding
logs to the Log Collector on the passive Panorama peer after disconnecting
and reconnecting to that peer. |
PAN-90858 | Fixed an issue on the Panorama management server
where, after you clicked Send Test Log to
verify that an external web server could receive firewall logs (Panorama Server Profiles HTTP <HTTP_server_profile> Payload Format configd process
restarted and the Panorama user interfaces became unresponsive until
the process finished restarting. |
PAN-90755 | Fixed an issue on firewalls in an HA configuration
where endpoints did not decapsulate VPN tunnel traffic after HA
failover and had to reconnect to the GlobalProtect gateway. |
PAN-90753 | Fixed an issue where firewalls in an active/passive
HA configuration did not synchronize multicast sessions between
the firewall HA peers. |
PAN-90683 | Fixed an issue on PA-5200 Series firewalls
in an active/passive HA configuration where the passive firewall
displayed 10Gbps copper interfaces (ethernet1/1 to ethernet1/4)
as up even when the connecting device (such as a switch) indicated
the interfaces were down. |
PAN-90622 | Fixed an issue where accessing websites took
longer than expected when the firewall applied SSL Inbound Inspection
decryption to the websites and used CRL or OCSP to verify the status
of certificates. |
PAN-90565 | Fixed an issue where the firewall did not accept
wildcards (*) as standalone characters to match all IMSI identifiers
when you configured IMSI Filtering in a GTP
Protection profile (Objects Security Profiles GTP Protection |
PAN-90411 | Fixed an issue where PA-5200 Series firewalls
did not forward buffered logs to Panorama Log Collectors after connectivity
between the firewalls and Log Collectors was disrupted and then
restored. |
PAN-90301 | Fixed an issue where the firewall generated
false positives during GTP-in-GTP checks because it detected some
DNS-in-GTP packets as GTP-in-GTP packets ( Objects Security Profiles GTP Protection <GTP_Protection_profile> GTP Inspection GTP-U |
PAN-90143 | Enhanced memory usage to reduce the frequency
of out-of-memory events that intermittently caused the firewall
to continuously restart processes, which prevented administrators
from logging in to the firewall. PAN-93839 provides
the complete and final fix for this out-of-memory condition in PAN-OS
8.0.10. |
PAN-90096 | Fixed an issue where Threat logs recorded incorrect
IMSI values for GTP packets when you enabled Packet Capture in Vulnerability
Protection profiles (Objects Security Profiles Vulnerability Protection <Vulnerability_Protection_profile> Rules |
PAN-89471 | Fixed an issue where firewalls rebooted because
the userid process restarted too often due to a socket binding
failure that caused a memory leak. |
PAN-89175 | Fixed an issue where a firewall acting as an
endpoint of an IPSec VPN tunnel dropped Encapsulating Security Payload
(ESP) packets received on the old IPSec security association (SA)
after rekeying and before receiving a delete message for the old
IPSec SA. With this fix, the firewall retains the old IPSec SA for
30 seconds while waiting for a delete message from the tunnel peer. |
PAN-89171 | Fixed an issue on firewalls in an HA configuration
where an auto-commit failed (the error message was Error:Duplicate user name )
after you connected a new suspended-secondary peer to an active-primary
peer. |
PAN-89030 | Fixed an issue where the firewall could not
authenticate to a hardware security module (HSM) partition when
the partition password contained special characters. |
PAN-88999 | Fixed an issue where the Panorama management
server did not return values based on the match criteria you configured
in dynamic address groups ( Objects Address Groups |
PAN-88930 | Fixed an issue where Threat logs and WildFire
Submissions logs were not consistent with each other in terms of
indicating whether the firewall blocked a file that had multiple
threat identifiers. With this fix, the firewall ensures the logs
are consistent by forwarding only one threat identifier for each
file that it sends to WildFire. |
PAN-88904 | Fixed an issue where, after you disabled session
offloading (using the set session offload no CLI
command), flapping occurred for sessions that completed Layer 7
inspection. |
PAN-88879 | Fixed an issue where the firewall flooded
the logrcvr.log file with the following error message: Errorreading the log record from logdb, Last read seqno: 0 . |
PAN-88760 | Fixed an issue where firewalls in an HA
configuration stayed in a non-functional state after a dataplane
restart because they did not boot up properly. |
PAN-88665 | Fixed an issue where SSL connections failed
because the firewall did not properly initialize certificates during
a reboot. |
PAN-88547 | Fixed an issue where the firewall did not accept AS:0 as
a value in the Set Community list of a BGP
redistribution profile (Network Virtual Routers <router> BGP Redist Rules |
PAN-88537 | Fixed an issue where the Panorama management
server displayed commit errors and failed to push configurations
to firewalls when the configurations included an Anti-Spyware security
profile that contained a threat exception ( Objects Security Profiles Anti-Spyware <Anti-Spyware_profile> Exceptions |
PAN-88535 | Fixed an issue on the Panorama management server
where the exported device state for a firewall contained a GTP Protection
profile even though the firewall did not support GPRS Tunneling
Protocol (GTP). After importing the device state into the firewall,
commit operations failed on the firewall. |
PAN-88487 | Fixed an issue where the firewall stopped enforcing
policy after you manually refreshed an external dynamic list (EDL)
that had an invalid IP address or that resided on an unreachable
web server. |
PAN-88459 | Fixed an issue where the firewall returned
an empty response for the PAN-OS XML API call used to display the
number of IP address-to-username mappings. |
PAN-88229 | Fixed an issue where the firewall rebooted
because the dnsproxy process restarted multiple times. |
PAN-88159 | Fixed an issue on PA-5200 Series firewalls
in an active/active HA configuration where traffic latency was higher
than expected because PAN-OS intermittently looped OSPF, PIM, and
IGMP packets between the HA peers. |
PAN-88104 | Fixed an issue on the Panorama management server
where, after you cloned an object or policy rule, the user interfaces
became unresponsive and displayed an error when you attempted to
log back in. |
PAN-87990 | Fixed an issue where the WF-500 appliance became
inaccessible over SSH and became stuck in a boot loop after you
upgraded from a release lower than PAN-OS 8.0.1 to PAN-OS 8.0.5
or a later release. |
PAN-87783 | Fixed an issue where a custom report configuration
did not display the Description value after
you configured the report, closed it, and reopened it (Monitor Manage Custom Reports <custom_report> |
PAN-87655 | Fixed an issue where clicking the refresh button
in the Monitor Session
Browser |
PAN-87303 | Fixed an issue where the Panorama management
server displayed WF-500 appliances in the list of devices that were
available to Install Panorama M-Series software
updates (Panorama Device
Deployment Software |
PAN-87271 | Fixed an issue in Large-Scale VPN (LSVPN) deployments
where the firewall used incorrect traffic routes because it did
not flush routes learned from GlobalProtect Satellites from the
routing table in a GlobalProtect gateway after you disabled the Accept published
routes option (Network GlobalProtect Gateways <gateway> Satellite Route Filter |
PAN-86936 | Fixed an issue on Panorama Log collectors where
logs were temporarily unavailable because the vldmgr process
restarted. |
PAN-86873 | Fixed an issue where the firewall advertised
the OSPF not-so-stubby area (NSSA) link-state advertisement (LSA)
type 7 default route to NSSA neighbors even when the OSPF backbone
area was down. |
PAN-86164 | Fixed an issue where the PA-220 firewall intermittently
performed slower than expected when processing heavy traffic. With
this fix, the comm , dha , tund , and mprelay processes
have improved performance. |
PAN-85919 | Fixed an issue where you could not select
check boxes in the firewall web interface when using the Safari
v11 browser. |
PAN-85633 | Fixed an issue on firewalls with IPv6 routing
enabled where the firewalls routed traffic to a single subnetwork
instead of multiple subnetworks when the same link-local IP address
was used as a next hop for routing in multiple IPv6 subnetworks
over a tagged Layer 3 interface ( Network Interfaces Ethernet/VLAN <interface> IPV6 |
PAN-85393 | Fixed an issue where the Panorama management
server displayed a File not found error
after you tried to download a threat PCAP file when Panorama and
Dedicated Log Collectors were in different timezones. |
PAN-84885 | Fixed an issue where configuring more than
one EDL caused a memory leak in the device-server ( devsrvr )
process. |
PAN-84879 | Fixed an issue on the Panorama management server
where the ACC Threat Activity |
PAN-83894 | Fixed an issue on firewalls with multiple virtual
systems where setting the Virtual System to All in
the ACC tab enabled a virtual system administrator
to see zones in all virtual systems instead of just the zones in
the virtual system for which the administrator had the required
role privileges. |
PAN-83879 | Fixed an issue on the Panorama management
server where the debug log-collector log-collection-stats show incoming-logs CLI
command did not display the correct log forwarding statistics for
logs that Log Collectors forwarded to external services (such as
a syslog server). |
PAN-83001 | Fixed an issue where the firewall dropped packets
based on a QoS class even though traffic did not exceed the maximum
bandwidth for that class. |
PAN-81924 | Fixed an issue on firewalls in an HA and DHCP
configuration where the Peer HA1 IP Address displayed
an outdated, static IP address instead of the DHCP-assigned IP address (Device High Availability General |
PAN-81698 | Fixed an issue where the firewall did not correctly
enforce administrative account expiration settings ( Device Setup Management Minimum Password Complexity |
PAN-80686 | Fixed an issue where the firewall reported
incorrect SNMP values for the received bytes (OID iso.3.6.1.2.1.2.2.1.10)
and transmitted bytes (OID iso.3.6.1.2.1.2.2.1.16) of aggregate
Ethernet subinterfaces. |
PAN-80569 | Fixed an issue where firewalls could not connect
to M-500 appliances in PAN-DB mode due to certificate validation
failures. With this fix, the appliances add an IP address to the
Subject Alternative Name (SAN) field when generating the certificates
used for firewall connections. |
PAN-80222 | Fixed an issue where the firewall did not update
EDL information because the firewall sent EDL queries using its
default service route interface as the Source Interface instead
of the EDL-specific service route you configured (Device Setup Services |
PAN-79989 | Fixed an issue on firewalls with custom signatures
configured where low memory conditions intermittently caused commit
or content installation failures with the following error: Threatdatabase handler failed . |
PAN-79872 | Fixed an issue on PA-3000 Series and PA-5000
Series firewalls where the output of the show session info CLI command
did not match the actual rate of traffic passing through the firewalls. |
PAN-79319 | Fixed an issue where the PAN-OS XML API returned
incorrect information when you sent a call for entries in an EDL. |
PAN-78903 | Fixed an issue where, after you bootstrapped
a VM-Series firewall, modified a template and device group on the
Panorama management server, and then rebooted the firewall, Panorama
displayed the firewall in the modified template and device group
as well as in the original template and device group to which you
assigned the firewall. |
PAN-78634 | Fixed an issue in Panorama templates where
the Panorama management server allowed you to configure a firewall
administrator Password (Device Administrators <administrator> Device Setup Management Minimum Password Complexity |
PAN-76632 | Fixed an issue where administrators could not
log in to the firewall web interface due to the root partition running
out of space because management logs continued growing without the
firewall ever deleting them. |
PAN-75775 | Fixed an issue where SNMP managers indicated
syntax errors in PAN-OS MIBs, such as forward slash (/) characters
not used within quotation marks (“”). You can find the updated MIBs
at https://docs.paloaltonetworks.com/misc/snmp-mibs.html. |
PAN-49312 | Fixed an issue on PA-3000 Series firewalls
where, after you manually restarted the dataplane ( Device Setup Operations |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.