Known Issues Related to PAN-OS 8.0 Releases

List of known issues in the PAN-OS® 8.0 release.
The following list includes known issues specific to PAN-OS® 8.0 releases, which includes known issues specific to Panorama™ and GlobalProtect™, as well as known issues that apply more generally or that are not identified by an issue ID.
Issue ID
Description
Upgrading a PA-200 or PA-500 firewall to PAN-OS 8.0 can take 30 to 60 minutes to complete. Ensure uninterrupted power to your firewall throughout the upgrade process.
A Panorama™ management server running PAN-OS 8.0 does not currently support management of appliances running WildFire® 7.1 or earlier releases. Even though these management options are visible on the Panorama 8.0 web interface (
Panorama
Managed WildFire Clusters
and
Panorama
Managed WildFire Appliances
), making changes to these settings for appliances running WildFire 7.1 or an earlier release has no effect.
GPC-2742
When you configure GlobalProtect™ portals and gateways to use client certificates and LDAP as two factors of authentication, Chromebook users who run Chrome OS 47 or a later version can encounter excessive prompts to select a client certificate.
Workaround:
To prevent excessive prompts, configure a policy to specify the client certificate in the Google Admin console and deploy that policy to your managed Chromebooks:
  1. Log in to the Google Admin console (https://admin.google.com) and select
    Device management
    Chrome management
    User settings
    .
  2. In the Client Certificates section, enter the following URL pattern to
    Automatically Select Client Certificate for These Sites
    :
    {""pattern"": ""https://[*.]"", ""filter"":{}}
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  3. Click
    Save
    . The Google Admin console deploys the policy to all devices within a few minutes.
GPC-1737
By default, the GlobalProtect app adds a route on iOS mobile endpoints that causes traffic to the GP-100 GlobalProtect Mobile Security Manager to bypass the VPN tunnel.
Workaround:
To configure the GlobalProtect app on iOS mobile devices to route all traffic—including traffic to the GP-100 GlobalProtect Mobile Security Manager—to pass through the VPN tunnel, perform the following tasks on the firewall hosting the GlobalProtect gateway (
Network
GlobalProtect
Gateways
<gateway-config>
Agent
Client Settings
<client-settings-config>
Network Settings
Access Route
):
  • Add
    0.0.0.0/0
    as an access route.
  • Enter the IP address for the GlobalProtect Mobile Security Manager as an additional access route.
GPC-1517
For the GlobalProtect app to access an MDM server through a Squid proxy, you must add the MDM server SSL access ports to the proxy server allow list. For example, if the SSL access port is 8443, add
acl SSL_ports port 8443
to the allow list.
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
PAN-120440
There is an issue on M-500 Panorama management servers where any ethernet interface with an IPv6 address having Private PAN-DB-URL connectivity only supports the following format:
2001:DB9:85A3:0:0:8A2E:370:2
.
PAN-120303
There is an issue where the firewall remains connected to the PAN-DB-URL server through the old management IP address on the M-500 Panorama management server, even when you configured the Eth1/1 interface.
Workaround:
Update the PAN-DB-URL IP address on the firewall using one of the methods below.
  • Modify the PAN-DB Server IP address on the managed firewall.
    1. On the web interface, delete the
      PAN-DB Server
      IP address (
      Device
      Setup
      Content ID
      URL Filtering
      settings).
    2. Commit
      your changes.
    3. Add the new M-500 Eth1/1 IP PAN-DB IP address.
    4. Commit
      your changes.
  • Restart the firewall (
    devsrvr
    ) process.
    1. Log in to the firewall CLI.
    2. Restart the devsrvr process:
      debug software restart process device-server
PAN-114041
(
Panorama™ M-Series and virtual appliances only
) There is a rare issue where, as a result of known issue PAN-107636, new Elasticsearch (ES) indices are empty, which prevents the web interface from displaying logs for the days associated with those indices.
The root cause of this issue is resolved in PAN-OS 8.1.7.
PAN-111866
This issue is now resolved. See
PAN-OS 8.0.16 Addressed Issues
.
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround:
Perform one of the following tasks.
  • Initiate a
    Commit to Panorama
    operation followed by a
    Push to Devices
    operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
PAN-111729
If you disable DPDK mode and enable it again, you must reboot the firewall immediately.
PAN-109594
This issue is now resolved. See
PAN-OS 8.0.16 Addressed Issues
.
(
HA configurations only
) The dataplane restarts when an IPsec rekey event occurs and causes a tunnel process (
tund
) failure when one—but not both—HA peers is running PAN-OS 8.0.14 or PAN-OS 8.1.5.
Workaround:
Temporarily modify the IKE phase 2 lifetime for both peers (
Network
Network Profiles
IPsec Crypto
) to increase the interval between rekey events (default is one hour) to avoid a rekey event before you complete the upgrade on the second peer. Alternatively, remove the HA configuration, upgrade both firewalls, and then restore the HA configuration.
PAN-108165
This issue is now resolved. See
PAN-OS 8.0.18 Addressed Issues
.
Memory issues on Palo Alto Networks hardware and virtual appliances cause intermittent management plane instability.
PAN-107636
This issue is now resolved. See
PAN-OS 8.0.16 Addressed Issues
.
(
Panorama M-Series and virtual appliances only
) There is a rare issue where the purge script does not remove the oldest Elasticsearch (ES) indices to make room for new ones as expected when the appliance reaches maximum capacity. This prevents the web interface from displaying any logs for the days associated with those new ES indices (see known issue PAN-114041) because those indices are empty (the appliances cannot read or write to them). If you experience this issue, contact your Support team for assistance.
PAN-106989
(
PAN-OS 8.0.14 and later PAN-OS 8.0 releases
) There is a display-only issue on Panorama that results in a
commit failed
status for Template Last Commit State (
Panorama
Managed Devices
Summary
).
Workaround:
Push templates to managed devices.
PAN-104986
(
PA-800 Series firewalls only
) Firewalls intermittently stop responding and require you to manually reboot due to an issue related to the stall detection feature.
PAN-103008
If your Panorama is managing firewalls that are running a PAN-OS 8.0 release, that are sending logs to Cortex Data Lake, and on which you enabled Secure Client Communication, the firewall cannot successfully establish TLS communication with Cortex Data Lake unless you use the default certificates.
Workaround:
Disable Secure Client Communication (
Device
Setup
Management
) for managed firewalls that are running a PAN-OS 8.0 release or upgrade the managed firewalls to PAN-OS 8.1 so that you can choose custom (non-default) certificates for communicating with Cortex Data Lake (firewall to Log Collector communication).
PAN-102140
This issue is now resolved. See
PAN-OS 8.0.13 Addressed Issues
.
Extended Authentication (X-Auth) clients intermittently fail to establish an IPSec tunnel to GlobalProtect gateways.
PAN-100244
This issue is now resolved. See
PAN-OS 8.0.14 Addressed Issues
.
There is a rare issue where a failed commit or commit validation followed by a non-user-committed event (such as an FQDN refresh, an external dynamic list refresh, or an antivirus update) results in an unexpected change to the configuration that causes the firewall to drop traffic.
Workaround:
Perform a successful commit immediately after you experience this issue. Alternatively, reload an earlier successfully-committed configuration and manually refresh the FQDN list.
PAN-100154
(
PAN-OS 8.0.12 and later PAN-OS 8.0 releases only
) The default static route always becomes the active route and takes precedence over a DHCP auto-created default route that is pointing to the same gateway regardless of the metrics or order of installation. Thus, when the system has both a DHCP auto-created default route and a manually configured default static route pointing to the same gateway, the firewall always installs the default static route in the FIB.
Workaround:
Set the
Default Route Metric
in the web interface
DHCP Client
configuration (
Network
Interfaces
{Ethernet | VLAN}
<interface>
IPv4
).
PAN-99084
(
HA configurations running PAN-OS 8.0.9 or a later PAN-OS 8.0 release
) If you disable the high availability (HA) configuration sync option (enabled by default), User-ID data is not synced as expected between HA peers.
Workaround:
Re-
Enable Config Sync
(
Device
High Availability
General
> Setup settings).
PAN-97757
GlobalProtect authentication fails with an
Invalid username/password
error (because the user is not found in
Allow List
) after you enable GlobalProtect authentication cookies and add a RADIUS group to the
Allow List
of the authentication profile used to authenticate to GlobalProtect.
Workaround:
Disable GlobalProtect authentication cookies. Alternatively, disable (clear)
Retrieve user group from RADIUS
in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
PAN-97561
This issue is now resolved. See
PAN-OS 8.0.11 Addressed Issues
.
Panorama appliances running PAN-OS 8.1.2 cannot connect to the Logging Service:
  • When you deploy a Panorama 8.1.2 virtual appliance, Panorama is unable to connect to the Logging Service and firewalls are unable to forward logs to the Logging Service.
  • If you upgrade a Panorama virtual appliance with Logging Service enabled to PAN-OS 8.1.2, both Panorama and the firewalls will continue to connect to the Logging Service but will not display information about Logging Services instances when you run the
    requestlogging-service-forwarding customerinfo fetch
    CLI command.
PAN-97524
(
Panorama management server only
) The Security Zone and Virtual System columns (
Network
tab) display
None
after a Device Group and Template administrator with read-only privileges performs a context switch.
PAN-96734
This issue is now resolved. See
PAN-OS 8.0.13 Addressed Issues
.
The configuration daemon (
configd
) stops responding during a partial revert operation when reverting an interface configuration.
PAN-96587
This issue is now resolved. See
PAN-OS 8.0.11 Addressed Issues
.
PA-7000 Series and PA-5200 Series firewalls intermittently fail to forward logs to Log Collectors or the Logging Service due to DNS resolution failure for the FQDNs of those log receivers.
Workaround:
On the firewall, commit a configuration change or run the
debug software restart process log-receiver
CLI command.
PAN-96572
This issue is now resolved. See
PAN-OS 8.0.12 Addressed Issues
.
After end users successfully authenticate for access to a service or application, their web browsers briefly display a page indicating that authentication completed and then they are redirected to an unknown URL that the user did not specify.
PAN-96158
(
PAN-OS 8.0.11 and later PAN-OS 8.0 releases
) After an HA firewall cluster with graceful restart enabled on routing protocols fails over, it does not immediately display the connected, static, and host routes as Active. This issue does not impact performance and the routes typically display as Active, again, within 30 seconds after the failover.
PAN-96113
This issue is now resolved. See
PAN-OS 8.0.12 Addressed Issues
.
In a deployment where the firewall connects to a Border Gateway Protocol (BGP) peer that advertises a route for which the next hop is not in the same subnetwork as the BGP peer interface, the
show routing protocol bgp rib-out
CLI command does not display advertised routes that the firewall sent to the BGP peer.
Workaround:
Move the next hop to the same subnetwork as the BGP peer interface.
PAN-95999
This issue is now resolved. See
PAN-OS 8.0.12 Addressed Issues
.
Firewalls in an HA active/active configuration with a default session setup and owner configuration drop packets in a GlobalProtect VPN tunnel that uses a floating IP address.
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the
show session info
CLI command displays an inaccurate throughput and packet rate.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
PAN-95736
This issue is now resolved. See
PAN-OS 8.0.13 Addressed Issues
.
The
mprelay
process stops responding when a commit occurs while the firewall is identifying flows that need a NetFlow update.
PAN-95717
After 30,000 or more end users log in to the GlobalProtect gateway within a two- to three-hour period, the firewall web interface responds slowly, commits take longer than expected or intermittently fail, and Tech Support File generation times out and fails.
PAN-95534
(
PAN-OS 8.0.6 and later releases
) The firewall does not provide an option to disable revocation status checks for syslog server certificates, and therefore log forwarding to syslog servers fails when the TLS certificate chains are not properly set up. Only firewalls running PAN-OS 8.0.6 and later releases check the revocation status of syslog server certificates.
Workaround:
Ensure the syslog servers send the full TLS certificate chains.
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
PAN-95445
This issue is now resolved. See
PAN-OS 8.0.11 Addressed Issues
; fix requires the VMware NSX 2.0.4 or later plugin.
VM-Series firewalls for NSX and firewalls in an NSX notify group (
Panorama
VMware NSX
Notify Group
) briefly drop traffic while receiving dynamic address updates after the primary Panorama in an HA configuration fails over.
PAN-95197
This issue is now resolved. See
PAN-OS 8.0.10 Addressed Issues
.
Mobile endpoints that use GPRS Tunneling Protocol (GTP) lose traffic and have to reconnect because the firewall drops the response message that a Gateway GPRS support node (GGSN) sends for a second Packet Data Protocol (PDP) context update.
PAN-95148
In an HA configuration, restarting the User-ID process (through the
debug software restart process user-id
CLI command) removes the IP address-port-user mappings of disconnected Terminal Services (TS) agents as expected on the primary firewall, but HA synchronization does not remove those mappings from the secondary firewall.
Workaround:
Restart the User-ID process on the secondary firewall.
PAN-95028
For administrator accounts that you create in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (
Device
Password Profiles
) until you upgrade to PAN-OS 8.0.9 or a later release and modify the account passwords. Administrator accounts that you create in PAN-OS 8.0.9 or a later release don't require you to change the passwords to apply password profile settings.
PAN-94966
After you delete disconnected and connected Terminal Server (TS) agents in the same operation, the firewall still displays the IP address-to-port-user mappings (
showuser ip-port-user-mapping
CLI command) for the disconnected TS agents you deleted (
Device
User Identification
Terminal Services Agents
).
Workaround:
Do not delete both disconnected and connected TS agents in the same operation.
PAN-94917
This issue is now resolved. See
PAN-OS 8.0.12 Addressed Issues
.
On Panorama Log Collectors, the
showsystem masterkey-properties
CLI command does not display the master key lifetime and reminder settings.
PAN-94853
This issue is now resolved. See
PAN-OS 8.0.10 Addressed Issues
.
Mobile endpoints that use GPRS Tunneling Protocol (GTP) lose GTP-U traffic because the firewall drops all GTP-U packets as packets without sessions after receiving two GTP requests with the same tunnel endpoint identifiers (TEIDs) and IP addresses.
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
PAN-94777
This issue is now resolved. See
PAN-OS 8.0.14 Addressed Issues
.
A
500 Internal Server
error occurs for traffic that matches a Security policy rule with a URL Filtering profile that specifies a Continue action (
Objects
Security Profiles
URL Filtering
) because the firewall does not treat the API keys as binary strings.
Workaround:
Reboot the firewall.
PAN-94654
This issue is now resolved. See
PAN-OS 8.0.13 Addressed Issues
.
The published applications page for GlobalProtect Clientless VPN displays a blank application icon instead of the custom
Application Icon
that you specify (
Network
GlobalProtect
Portals
Clientless VPN
Applications
<application>
<application>
).
PAN-94452
This issue is now resolved. See
PAN-OS 8.0.11 Addressed Issues
.
The firewall records GPRS Tunneling Protocol (GTP) packets multiple times in firewall-stage packet captures (pcaps).
PAN-94382
This issue is now resolved. See
PAN-OS 8.0.13 Addressed Issues
.
On the Panorama management server, the Task Manager displays
Completed
status immediately after you initiate a push operation to firewalls (
Commit all
) even though the push operation is still in progress.
PAN-94290
(
HA active/active configurations only
) Fragmented packets are dropped when traversing a firewall.
PAN-94278
This issue is now resolved. See
PAN-OS 8.0.13 Addressed Issues
.
A Panorama Collector Group forwards Threat and WildFire Submission logs to the wrong external server after you configure match list profiles with the same name for both log types (
Panorama
Collector Groups
<Collector_Group>
Collector Log Forwarding
{Threat | WildFire}
<match_list_profile>
).
Workaround:
Configure match list profiles with different names for Threat and WildFire Submission logs.
PAN-94187
The firewall does not apply tag-based matching rules for dynamic address groups unless you enclose the tag names with single quotes ('<tag_name>') in the matching rules (
Objects
Address Groups
<address_group>
).
PAN-94167
This issue is now resolved. See
PAN-OS 8.0.10 Addressed Issues
.
Firewalls randomly retain IP address-to-username mappings even after receiving information via User-ID Redistribution that the mapping was deleted or expired.
PAN-94023
This issue is now resolved. See
PAN-OS 8.0.11 Addressed Issues
.
The
request system external-listshow type ip name
<EDL_name>
CLI command does not display external dynamic list entries after you restart the management server (
mgmtsrvr
) process.
PAN-93937
This issue is now resolved. See
PAN-OS 8.0.12 Addressed Issues
.
The management server process (
mgmtsrvr
) on the firewall restarts whenever you push configurations from the Panorama management server.
PAN-93889
The Panorama management server generates high-severity System logs with the message
Syslogconnection established to server
after you configure Traps log ingestion (
Panorama
Log Ingestion Profile
) for forwarding to a syslog server (
Panorama
Server Profiles
Syslog
) and commit configuration changes (
Commit
Commit to Panorama
).
Workaround:
Disable Traps log ingestion.
PAN-93854
This issue is now resolved. See
PAN-OS 8.0.11 Addressed Issues
.
The VM-Series firewall for NSX randomly disrupts traffic due to high CPU usage by the
pan_task
process.
PAN-93755
SSL decrypted traffic fails after you
Enforce Symmetric Return
in Policy Based Forwarding (PBF) policy rules (
Policies
Policy Based Forwarding
).
PAN-93753
This issue is now resolved. See
PAN-OS 8.0.11 Addressed Issues
.
High log rates cause disk space on PA-200 firewalls to reach maximum capacity.
PAN-93522
This issue is now resolved. See
PAN-OS 8.0.10 Addressed Issues
.
On firewalls in an HA configuration, traffic is disrupted because the dataplane restarts unexpectedly when the firewall concurrently processes HA messages and packets for the same session. This issue applies to all firewall models except the PA-200 and VM-50 firewalls.
PAN-93430
This issue is now resolved. See
PAN-OS 8.0.13 Addressed Issues
.
The firewall web interface doesn't display Host Information Profile (HIP) information in HIP Match logs for end users who have Microsoft-supported special characters in their domains or usernames.
PAN-93410
PA-5200 Series firewalls send logs to the passive or suspended Panorama virtual appliance in Legacy mode in an HA configuration.
Workaround:
On the active Panorama, run the
request log-fwd-ctrl device
<firewall_serial_number>
action start
CLI command, where
<firewall_serial_number>
is the serial number of the firewall from which you want to send logs to Panorama.
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 8.0 releases (
Objects
Security Profiles
Vulnerability Protection
<profile>
Exceptions
). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
PAN-93318
This issue is now resolved. See
PAN-OS 8.0.11 Addressed Issues
.
Firewall CPU usage reaches 100 per cent due to SNMP polling for logical interfaces based on updates to the Link Layer Discovery Protocol (LLDP) MIB (LLDP-V2-MIB.my).
Workaround:
Restart the
snmpd
process by running the
debug softwarerestart process snmp
CLI command. Note that restarting snmpd reduces the CPU usage to allow other operations, but does not prevent the issue from recurring the next time SNMP polling occurs for the LLDP-V2-MIB.my MIB.
PAN-93233
This issue is now resolved. See
PAN-OS 8.0.10 Addressed Issues
.
PA-7000 Series firewalls cause slow traffic over IPSec VPN tunnels when the tunnel session and inner traffic session are on different dataplanes because the firewalls reorder TCP segments during IPSec encryption.
Workaround:
Keep the tunnel session and inner traffic session on the same dataplane. To determine which dataplane the tunnel session uses, first run the
show vpn tunnel name <tunnel_name>
CLI command to see the tunnel identifier, and then run the
showvpn flow tunnel-id <tunnel_id>
command to display the dataplane (
owner cpuid
). To force the inner traffic session onto the same dataplane, run the
setsession distribution-policy fixed <dataplane>
command.
PAN-93207
This issue is now resolved. See
PAN-OS 8.0.15 Addressed Issues
.
The firewall reports the incorrect hostname when responding to SNMP get requests.
PAN-93005
This issue is now resolved. See
PAN-OS 8.0.14 Addressed Issues
.
The firewall generates System logs with high severity for
Dataplane under severe load
conditions that do not affect traffic.
PAN-92604
This issue is now resolved. See
PAN-OS 8.0.9 Addressed Issues
.
A Panorama Collector Group does not forward logs to some external servers after you configure multiple server profiles (
Panorama
Collector Groups
<Collector_Group>
Collector Log Forwarding
).
PAN-92564
This issue is now resolved. See
PAN-OS 8.0.9 Addressed Issues
.
After you upgrade the firewall to a PAN-OS 8.0 release, a small percentage of writable third-party SFP transceivers (not purchased from Palo Alto Networks®) can stop working or experience other issues. For firewalls that use third-party SFPs, Palo Alto Networks recommends that you do not upgrade to PAN-OS 8.0 until a maintenance release that addresses this issue becomes available. Additionally, after a maintenance release with this fix becomes available and you begin the upgrade process, do not reboot the firewall after you download and install the PAN-OS 8.0 base image: wait until after you download and install the maintenance release before rebooting.
For additional details, upgrade considerations, and instructions for upgrading your firewalls, see the PAN-OS 8.0 upgrade information.
PAN-92487
This issue is now resolved. See
PAN-OS 8.0.10 Addressed Issues
.
Enabling jumbo frames (
Device
Setup
Session
) reduces throughput because:
  • The firewalls hardcode the maximum segment size (TCP MSS) within TCP SYN packets and in server-to-client traffic at 1,460 bytes when packets exceed that size.
  • PA-7000 Series and PA-5200 Series firewalls hardcode the maximum transmission unit (MTU) at 1,500 bytes for the encapsulation stage when tunneled clear-text traffic and the originating tunnel session reside on different dataplanes.
PAN-92366
This issue is now resolved. See
PAN-OS 8.0.11 Addressed Issues
.
PA-5200 Series firewalls in an active/passive HA configuration drop Bidirectional Forwarding Detection (BFD) sessions when the passive firewall is in an initialization state after you reboot it
Workaround:
On the passive firewall, set the
Passive Link State
to
Shutdown
(
Device
High Availability
General
Active/Passive Settings
).
PAN-92268
This issue is now resolved. See
PAN-OS 8.0.9 Addressed Issues
.
Fixed an issue on PA-7000 Series and PA-5200 Series firewalls where one or more dataplanes did not pass traffic when you ran several operational commands (from any firewall user interface or from the Panorama management server) while committing changes to device or network settings or while installing a content update.
PAN-92163
This issue is now resolved. See
PAN-OS 8.0.11 Addressed Issues
.
Firewalls in an active/passive HA configuration take longer than expected to fail over after you configure them to redistribute routes between an interior gateway protocol (IGP) and Border Gateway Protocol (BGP).
PAN-92105
This issue is now resolved. See
PAN-OS 8.0.8 Addressed Issues
.
Panorama Log Collectors do not receive some firewall logs and take longer than expected to receive all logs when the Collector Group has spaces in its name.
Workaround:
Configure Collector Group names without spaces.
PAN-92017
This issue is now resolved. See
PAN-OS 8.0.10 Addressed Issues
.
Log Collectors that belong to a collector group with a space in its name fail to fully connect to one another, which affects log visibility and logging performance.
Workaround:
Configure Collector Group names without spaces.
PAN-91689
This issue is now resolved. See
PAN-OS 8.0.9 Addressed Issues
.
The Panorama management server removes address objects and, in the
Network
tab settings and NAT policy rules, uses the associated IP address values without reference to the address objects before pushing configurations to firewalls.
PAN-91421
The firewall dataplane restarts and results in temporary traffic loss when any process stops responding while system resource usage is running high.
PAN-91370
This issue is now resolved. See
PAN-OS 8.0.11 Addressed Issues
.
The firewall drops IPv6 traffic while enforcing IPv6 bidirectional NAT policy rules because the firewall incorrectly translates the destination address for a host that resides on a directly attached network.
Workaround:
Above the bidirectional rule in your NAT policy, add an NPTv6 rule that specifies no translation and matches the IPv6 address configured on the interface that the firewall uses for traffic to the directly attached network.
PAN-91361
This issue is now resolved. See
PAN-OS 8.0.12 Addressed Issues
.
Client connections initiated with HTTP/2 fail during SSL Inbound Inspection decryption because the firewall removes the Application-Layer Protocol Negotiation (ALPN) extension within the server hello packet instead of forwarding the extension to the client.
Workaround:
Disable HTTP/2 support in the servers.
PAN-91238
This issue is now resolved. See
PAN-OS 8.0.12 Addressed Issues
.
An Aggregate Ethernet (AE) interface with Link Aggregation Control Protocol (LACP) enabled on the firewall goes down after a cisco-nexus primary virtual port channel (vPC) switch LACP peer reboots and comes back up.
Workaround:
Set a hold time on the AE interface by running the
debugl2ctrld lacp set hold-time
CLI command. The hold time (default is 15 seconds) specifies the delay before the firewall processes LACP protocol data units (PDUs) after LACP-enabled interfaces come up.
PAN-91236
The Panorama management server does not display new logs collected on M-Series Log Collectors because the logging search engine fails to register during system startup when logging disk checks and RAID mounting takes longer than two hours to complete.
PAN-91088
This issue is now resolved. See
PAN-OS 8.0.10 Addressed Issues
.
(
PAN-OS 8.0.6 and later releases
) On PA-7000 Series firewalls in an HA configuration, the HA3 link does not come up after you upgrade to PAN-OS 8.0.6 or a later release.
Workaround:
Unplug and replug the HSCI modules.
PAN-91059
This issue is now resolved. See
PAN-OS 8.0.16 Addressed Issues
.
(
PAN-OS 8.0.4 and later releases
) GTP log query filters don't work when you filter based on a value of
unknown
for the message type or GTP interface fields (
Monitor
Logs
GTP
).
PAN-90565
This issue is now resolved. See
PAN-OS 8.0.9 Addressed Issues
.
(
PAN-OS 8.0.4 and later releases
) The firewall does not accept wildcards ( “
*
” ) as standalone characters to match all IMSI identifiers when you configure
IMSI Filtering
in a GTP Protection profile (
Objects
Security Profiles
GTP Protection
).
PAN-90448
This issue is now resolved. See
PAN-OS 8.0.12 Addressed Issues
.
PA-7000 Series and PA-5200 Series firewalls don't properly
Rematch all sessions on config policy change
for offloaded sessions (
Device
Setup
Session
).
Workaround:
After committing your latest changes, clear sessions that are in a discard state by running the
clear session all filter state discard
CLI command.
PAN-90347
This issue is now resolved. See
PAN-OS 8.0.13 Addressed Issues
.
On a PA-5000 Series firewall configured to use an IPSec tunnel containing multiple proxy IDs (
Network
IPSec Tunnels
<tunnel>
Proxy IDs
), the firewall drops tunneled traffic after clear text sessions are established on a dataplane other than the first dataplane (DP0).
Workaround:
Use Palo Alto Networks firewalls on both ends of the IPSec tunnel, or use one proxy ID per tunnel, or use only DP0 for establishing clear text sessions (run the
set session processing-cpu dp0
CLI command).
PAN-90301
This issue is now resolved. See
PAN-OS 8.0.9 Addressed Issues
.
(
PAN-OS 8.0.4 and later releases
) The firewall generates false positives during GTP-in-GTP checks because it detects some DNS-in-GTP packets as GTP-in-GTP packets.
Workaround:
Disable GTP-in-GTP protection in the GTP Protection profile (
Objects
Security Profiles
GTP Protection
).
PAN-90096
This issue is now resolved. See
PAN-OS 8.0.9 Addressed Issues
.
(
PAN-OS 8.0.4 and later releases
) Threat logs record incorrect IMSI values for GTP packets when you enable
Packet Capture
in Vulnerability Protection profiles (
Objects
Security Profiles
Vulnerability Protection
<vulnerability_protection_profile>
Rules
).
PAN-90048
This issue is now resolved. See
PAN-OS 8.0.12 Addressed Issues
.
Automatic commits fail after you configure Security policy rules that reference region objects for the source or destination and then upgrade the PAN-OS software.
Workaround:
Run the
debug device-server reset id-manager type vsys-region
CLI command to remove stale region data and then run the
commit force
configuration mode command.
PAN-89988
This issue is now resolved. See
PAN-OS 8.0.13 Addressed Issues
.
The firewall dataplane intermittently restarts, causing traffic loss, after you attach a NetFlow server profile to an interface for which the firewall assigns an invalid identifier.
PAN-89794
This issue is now resolved. See
PAN-OS 8.0.14 Addressed Issues
.
(
PA-3050, PA-3060, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls only in an HA configuration
) Multicast sessions intermittently stop forwarding traffic after HA failover on firewalls with hardware offloading enabled (default).
Workaround:
Disable hardware offloading by running the
set session offloadno
CLI command and clear any multicast sessions that are already offloaded after failover by running the
clearsession
CLI command.
PAN-89715
This issue is now resolved. See
PAN-OS 8.0.13 Addressed Issues
.
On PA-5200 Series firewalls in an active/passive high availability (HA) configuration, failover takes a few seconds longer than expected when it is triggered after the passive firewall reboots.
Workaround:
Configure the Ethernet 1/1 to 1/4 interfaces and set the
Passive Link State
to
Auto
.
PAN-89443
On PA-5200 Series firewalls, frequent changes in the fan speeds intermittently cause disk errors in the log drives. (In PAN-OS 8.0.10, the fix for PAN-93715 mitigates this issue but does not completely resolve it.)
PAN-88487
This issue is now resolved. See
PAN-OS 8.0.9 Addressed Issues
.
The firewall stops enforcing policy after an automatic or manual refresh of an External Dynamic List (EDL) that has an invalid IP address or that resides on an unreachable web server.
Workaround:
Do not refresh EDLs that have invalid IP addresses or that reside on unreachable web servers.
PAN-88440
This issue is now resolved. See
PAN-OS 8.0.13 Addressed Issues
.
A firewall configured as a DNS proxy server (
Network
DNS Proxy
) displays the following error when performing a name server lookup for any domain on MAC endpoints:
Got recursion notavailable.
PAN-88292
This issue is now resolved. See
PAN-OS 8.0.13 Addressed Issues
.
On Panorama management servers in an HA configuration, the Log Collector that runs locally on the passive peer does not forward logs to syslog servers.
PAN-87990
This issue is now resolved. See
PAN-OS 8.0.9 Addressed Issues
.
The WF-500 appliance becomes inaccessible over SSH and becomes stuck in a boot loop after you upgrade from a release lower than PAN-OS 8.0.1 and try to upgrade to PAN-OS 8.0.5 or a later release.
PAN-87122
This issue is now resolved. See
PAN-OS 8.0.8 Addressed Issues
.
Running the
clear session allfilter source
CLI command eleven or more times simultaneously causes Bidirectional Forwarding Detection (BFD) flapping.
Workaround:
Run the
clear session all filter source
commands one at a time instead of as a batch.
PAN-86936
This issue is now resolved. See
PAN-OS 8.0.9 Addressed Issues
.
On Panorama Log collectors, logs are temporarily unavailable because the
vldmgr
process restarts.
PAN-86903
In rare cases, PA-800 Series firewalls shut themselves down due to a false over-current measurement.
Workaround:
To reduce the likelihood that this issue will occur, upgrade to PAN-OS 8.0.7 or a later release.
PAN-86882
This issue is now resolved. See
PAN-OS 8.0.8 Addressed Issues
.
The firewall dataplane slows significantly and, in some cases, stops responding if you use nested wildcards ( "*" ) with "." or "/" as delimiters in the URLs of a custom URL category (
Objects
Custom Objects
URL Category
) or in the
Allow List
of a URL Filtering profile (
Objects
Security Profiles
URL Filtering
<URL-filtering-profile>
Overrides
).
Workaround:
The best practice is to use a single wildcard to cover multiple tokens or the caret (^) character to target a single token. For details, see https://live.paloaltonetworks.com/t5/Management-Articles/Nested-Wildcard-in-URLs-May-Severely-Affect-Performance/ta-p/61323.
PAN-86672
This issue is now resolved. See
PAN-OS 8.0.12 Addressed Issues
.
In rare cases, a commit causes the disk to become full due to an incorrect disk quota-size value, which causes the firewall to behave unpredictably (for example, the web interface and CLI become unresponsive).
Workaround:
Restart the management server (
mgmtsrvr
) process by running the
debug software restart process management-server
CLI command.
PAN-86624
The Panorama management server doesn't display an
Override
button for
Objects
External Dynamic Lists
in child device groups that inherit the objects from parent device groups.
PAN-86583
This issue is now resolved. See
PAN-OS 8.0.13 Addressed Issues
.
The DHCP process restarts while you commit a configuration change to DHCP settings and, as a result, DHCP clients cannot receive IP addresses from a firewall configured as a DHCP server (
Network
DHCP
).
PAN-86226
This issue is now resolved. See
PAN-OS 8.0.7 Addressed Issues
.
On PA-5000 Series firewalls running PAN-OS 8.0.5 or a later 8.0 release, insufficient proxy memory causes decryption failures and prevents users from accessing the GlobalProtect portal or gateway.
PAN-86210
On M-500 appliances, running an ACC report for a large amount of data causes Panorama to restart because of heartbeat failure.
PAN-86028
This issue is now resolved. See
PAN-OS 8.0.11 Addressed Issues
.
(
HA active/active configurations only
) Traffic in a GlobalProtect VPN tunnel in SSL mode fails after Layer 7 processing is completed if asymmetric routing is involved.
PAN-85938
This issue is now resolved. See
PAN-OS 8.0.7 Addressed Issues
.
PAN-OS removes the IP address-to-username mappings of end users who log in to a GlobalProtect internal gateway within a second of logging out from it.
PAN-85691
Authentication policy rules based on multi-factor authentication (MFA) don't block connections to an MFA vendor when the MFA server profile specifies a Certificate Profile that has the wrong certificate authority (CA) certificate.
PAN-85410
This issue is now resolved. See
PAN-OS 8.0.14 Addressed Issues
.
A firewall configured for GlobalProtect Clientless VPN has two issues:
  • The firewall dataplane restarts when client cookies contain a path that does not start with a forward slash (/).
  • The firewall does not properly reinitialize client cookies that have a missing path and domain and instead uses values from previously received cookies.
PAN-85299
This issue is now resolved. See
PAN-OS 8.0.7 Addressed Issues
.
On firewalls in an active/passive HA configuration with link or path monitoring enabled, a failover resulting from a link or path failure intermittently causes PAN-OS to delete host, connected, static, and dynamic routes (both OSPF and BGP) from the forwarding information base (FIB) on the firewall peer that becomes active. The link or path failure also intermittently causes PAN-OS to send unnecessary BGP withdrawal messages to BGP peers.
PAN-85228
Even though PAN-OS 8.0.5 is the minimum supported release for VMware NSX plugin 2.0.0, a Panorama management server running an earlier release does not block you from installing that plugin. After you install the NSX plugin 2.0.0, a Panorama management server running PAN-OS 8.0.4 or an earlier release does not display the status of its connection with the NSX Manager.
PAN-85209
End users cannot access websites for which the firewall applies Decryption policy and uses Online Certificate Status Protocol (OCSP) to verify the status of certificates. The issue occurs in cases where the certificate cache on the firewall is modified during the access attempts.
PAN-85103
This issue is now resolved. See
PAN-OS 8.0.8 Addressed Issues
.
The Panorama management server stops communicating with firewalls when the incoming log rate from firewalls exceeds the capacity of the Panorama buffers.
PAN-84792
Firewalls report an interface speed of zero for some interfaces instead of the maximum possible speed when you run an SNMP query for the ifHighSpeed object (OID 1.3.6.1.2.1.31.1.1.1.15).
PAN-84670
(
PAN-OS 8.0.4 and later releases
) When you disable decryption for HTTPS traffic, end users who don't have valid authentication timestamps can access HTTPS services and applications regardless of Authentication policy.
Workaround:
Create a Security policy rule that blocks HTTPS traffic that is not decrypted.
PAN-84642
On the Panorama management server, the
Authentication Profile
drop-down in authentication enforcement objects doesn't display any authentication sequences that you configured (
Objects
Authentication
).
PAN-84488
When you deploy PA-7000 Series or PA-5200 Series firewalls in networks that use NAT translation for Generic Routing Encapsulation (GRE) and Point-to-Point Tunneling Protocol (PPTP) traffic, client systems can use a translated IP address-and-port pair for only one connection even after you configure the Dynamic IP and Port (DIPP)
NAT Oversubscription Rate
to allow multiple connections (
Device
Setup
Session
Session Settings
NAT Oversubscription
).
PAN-84445
This issue is now resolved. See
PAN-OS 8.0.8 Addressed Issues
.
The firewall intermittently misidentifies the App-ID for SSL applications. This issue occurs when a server hosts multiple applications on the same port, and the firewall identifies traffic for an application using this port on the server and then inaccurately records other applications on this server-port combination as the previously identified application.
PAN-84406
This issue is now resolved. See
PAN-OS 8.0.8 Addressed Issues
.
On a firewall configured to collect username-to-group mappings from multiple LDAP servers over SSL/TLS-secured connections (
Device
Server Profiles
LDAP
), the firewall reboots because the User-ID process (
useridd
) restarts several times during initialization.
PAN-84199
This issue is now resolved. See
PAN-OS 8.0.13 Addressed Issues
.
After you disable the
Skip Auth on IKE Rekey
option in the GlobalProtect gateway, the firewall still applies the option: end users with endpoints that use Extended Authentication (X-Auth) don't have to re-authenticate when the key used to establish the IPSec tunnel expires (
Network
GlobalProtect
Gateways
<gateway>
Agent
Tunnel Settings
).
PAN-84045
On VM-Series firewalls in an HA configuration with Data Plane Development Kit (DPDK) enabled, HA path monitoring failures and (in active/passive deployments) HA failover occurred.
Workaround:
Disable DPDK by running the
set system setting dpdk-pkt-io off
CLI command.
PAN-83900
This issue is now resolved. See
PAN-OS 8.0.12 Addressed Issues
.
The Panorama management server does not run
ACC
reports or custom reports because the
reportd
process stops responding when an administrator tries to access a device group to which that administrator does not have access.
PAN-83610
PA-5200 Series firewalls that use the network processor and have session offload enabled intermittently reset the checksum of UDP packets.
Workaround:
In PAN-OS 8.0.6 and later releases, you can disable session offload for UDP traffic by running the
set session udp-offload no
CLI command.
PAN-83598
VM-Series firewalls cannot monitor more than 500 virtual machine (VM) information sources (
Device
VM Information Sources
).
PAN-83451
When you push licenses to managed firewalls (
Panorama
Device Deployment
Licenses
), the Panorama management server displays an incorrect error message (
LicenseFeatureUnknown
) along with the list of licenses that were successfully installed. You can ignore this error message because the licenses install successfully.
PAN-83146
You cannot apply the
Trusted Root CA
designation to certificates for which the
Algorithm
is
Elliptic Curve DSA
and the
Digest
is
sha256
(
Device
Certificate Management
Certificates
).
PAN-83047
The firewall displays the following commit warning when you configure a GlobalProtect gateway with a
Tunnel Interface
set to the default
tunnel
interface (
Network
GlobalProtect
Gateways
<gateway>
General
) even after you enable IPv6:
Warning: tunnel tunnel ipv6 is not enabled.IPv6 addresswill be ignored!
PAN-82942
This issue is now resolved. See
PAN-OS 8.0.10 Addressed Issues
.
The firewall reboots because the User-ID process (
useridd
) restarts several times when endpoints, while requesting services that cannot process HTTP 302 responses (such as Microsoft update services), authenticate to Captive Portal through NT LAN Manager (NTLM) and immediately disconnect.
Workaround:
Don't configure Captive Portal to use NTLM authentication.
PAN-82278
Filtering does not work for Threat logs when you filter for threat names that contain certain characters: single quotation (
), double quotation (
), back slash (
\
), forward slash (
/
), backspace (
\b
), form feed (
\f
), new line (
\n
), carriage return (
\r
), and tab (
\t
).
PAN-82251
This issue is now resolved. See
PAN-OS 8.0.7 Addressed Issues
.
The VM-Series firewall on AWS GovCloud does not support bootstrapping.
PAN-82125
This issue is now resolved. See
PAN-OS 8.0.7 Addressed Issues
.
The firewall management plane or control plane continuously reboots after an upgrade to PAN-OS 8.0, and displays the following error message:
rcu_sched detected stallson CPUs/tasks.
PAN-82117
This issue is now resolved. See
PAN-OS 8.0.7 Addressed Issues
.
PA-5000 Series firewalls in an active/active HA configuration intermittently drop packets when the session owner and session setup are on different HA peers.
PAN-82109
This issue is now resolved. See
PAN-OS 8.0.3 Addressed Issues
.
On VM-Series firewalls, the session capacity drops to 1,248 after you activate a capacity license.
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (
Device
Server Profiles
Kerberos
).
Workaround:
Replace the FQDN with the IP address in the Kerberos server profile.
PAN-81125
(
PAN-OS 8.0.3 and later releases
) On a firewall configured to connect to Terminal Services (TS) agents, importing a configuration file that does not define TS agent connections causes the User-ID service to stop responding (
Device
Setup
Operations
Import named configuration snapshot
).
Workaround:
Add an empty TS agent node
<ts-agent/>
under
<devices><entry><vsys><entry>
in the configuration file before importing it.
PAN-81061
This issue is now resolved. See
PAN-OS 8.0.2 Addressed Issues
.
PA-3000 Series firewalls intermittently drop long-lived sessions that are active during a content update if you immediately follow the update with an Antivirus or WildFire update.
PAN-80564
The
mgmtsrvr
process and other processes repeatedly restart due to abnormal system memory usage when a connection failure occurs between the firewall and a syslog server that use TCP over SSL/TLS to communicate.
Workaround:
In PAN-OS 8.0.4 and later 8.0 releases, you can stop the continuous restarts by running the
debug syslog-ngrestart
CLI command to restart the
syslog-ng
process. Alternatively, for all PAN-OS 8.0 releases, you can use UDP for communication between the firewall and syslog server.
PAN-79423
Panorama cannot push address group objects from device groups to managed firewalls when zones specify the objects in the User Identification ACL include or exclude lists (
Network
Zones
) and the
Share Unused Address and Service Objects with Devices
option is disabled (
Panorama
Setup
Management
Panorama Settings
).
Workaround
: After an explicit deny-all-and-log rule, create a security policy rule that includes the Address or Address Group objects. The deny-all-and-log rule handles all sessions not handled by any previous rule. The security policy rule containing the address objects, while it would never be used, allows you to push the address objects to managed firewalls.
PAN-79365
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
Pushing Panorama template configurations to VM-Series firewalls for NSX removes those firewalls as managed devices on the Panorama management server.
Workaround
: Make minor configuration changes to Panorama and select
Commit
Commit and Push
. Panorama then displays the VM-Series firewalls for NSX as managed devices. You can then select
Config
Revert Changes
to revert the minor configuration changes to Panorama.
PAN-79291
This issue is now resolved. See
PAN-OS 8.0.14 Addressed Issues
.
An intermittent issue occurs with ZIP hardware offloading (hardware-based decompression) where firewalls identify ZIP files as threats when they are sent over Simple Mail Transfer Protocol (SMTP).
PAN-78718
This issue is now resolved. See
PAN-OS 8.0.6 Addressed Issues
.
A PA-7000 Series firewall running PAN-OS 7.1.12, PAN-OS 7.0.17, or a PAN-OS 6.1 release (or an earlier PAN-OS 7.1 or PAN-OS 7.0 release) stops saving and displaying new logs due to a memory leak after a Panorama management server running PAN-OS 8.0 pushes a predefined GTP report that specifies a field that is unrecognized by the firewall running the earlier PAN-OS release (
Monitor
Reports
Mobile Network Reports
).
PAN-78224
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
The firewall truncates passwords to 40 characters when end users try to authenticate through RADIUS in the Captive Portal web form.
PAN-78055
On PA-220, PA-500, and PA-800 Series firewalls, VPN tunnel traffic intermittently fails because the
keymgr
stops processing sysd messages.
Workaround:
Run the
debugsoftware restart process keymgr
CLI command to restart the keymgr process.
PAN-78034
This issue is now resolved. See
PAN-OS 8.0.6 Addressed Issues
.
The Threat logs that Zone Protection profiles trigger for
packet
type events do not record IMSI and IMEI values.
Workaround:
Select
Monitor
Threat
, click the spyglass icon for the Threat log to display additional details, and then double-click the related logs to see the IMSI and IMEI of the subscriber that triggered the Threat log.
PAN-77702
This issue is now resolved. See
PAN-OS 8.0.5 Addressed Issues
.
Dynamic address updates take several minutes to complete on a Panorama management server in NSX deployments.
PAN-77671
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
The firewall identifies traffic to www.online-translator.com as the translator-5 application instead of as web-browsing.
PAN-77595
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
PA-7000 Series and PA-5200 Series firewalls forward a SIP INVITE based on route lookup instead of Policy-Based Forwarding (PBF) policy.
PAN-77339
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
The SafeNet Client 6.2.2 does not support the necessary MAC algorithm (HMAC-SHA1) to work with Palo Alto Networks firewalls that run in FIPS-CC mode.
PAN-77213
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
The Panorama management server does not forward logs to a syslog server over TCP.
PAN-77125
PA-7000 Series and PA-5200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround:
Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the
set session offload no
CLI command.
PAN-77116
This issue is now resolved. See
PAN-OS 8.0.8 Addressed Issues
.
After bootup, the firewall displays error messages such as
Error: sysd_construct_sync_importer(sysd_sync.c:328):sysd_sync_register()failed: (111) Unknown error code
, even though the bootup is successful.
Workaround:
Ignore the error messages; they do not affect the firewall operations.
PAN-77062
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
Administrators with a custom role cannot delete packet captures.
PAN-77033
This issue is now resolved. See
PAN-OS 8.0.3 Addressed Issues
.
Using the
debug skip-condor-reports no
CLI command to force a Panorama management server running PAN-OS 8.0 to query PA-7000 Series firewalls causes PA-7000 Series firewalls running a PAN-OS 7.0 release to reboot. Do not use this command if you use Panorama running PAN-OS 8.0 to manage a PA-7000 Series firewall running a PAN-OS 7.0 release.
PAN-76832
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
Modifying a BFD profile configuration (
Network
Network Profiles
BFD Profile
) or assigning a different BFD profile (
Network
Virtual Routers
BGP
) in a virtual router causes the associated routing protocol (BGP) to flap.
PAN-76779
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
On the PA-5020 firewall, the dataplane restarts continuously when a user accesses applications over a GlobalProtect Clientless VPN.
PAN-76509
This issue is now resolved. See
PAN-OS 8.0.5 Addressed Issues
.
On firewalls with multiple virtual systems, custom spyware signatures work only on vsys1 (
Objects
Custom Objects
Spyware
).
PAN-76270
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
Operations that require heavy memory usage on Log Collectors (such as ingesting logs at a high rate) cause some other processes to restart.
Workaround
: To make more memory available for processes other than logging and reporting, run the
debug logdb show-heap-size
<4-32>
CLI command and set the memory heap to a lower size than the default 8GB.
PAN-76162
This issue is now resolved. See
PAN-OS 8.0.3 Addressed Issues
.
A Panorama management server running a PAN-OS 8.0 release or a PAN-OS 7.1.8 or later 7.1 release does not display logs from PA-7000 Series firewalls running a PAN-OS 7.0 or 7.1 release.
Workaround:
Run the
debug skip-condor-reports no
command and then the
debug software restart process reportd
command on a Panorama management server running a PAN-OS 8.0 release so that it can successfully query PA-7000 Series firewalls running a PAN-OS 7.1 release.
Do not use the
debug skip-condor-reportsno
command to work around this issue if you use Panorama running a PAN-OS 8.0 release to manage a PA-7000 Series firewall running a PAN-OS 7.0 release (see PAN-77033).
PAN-76058
This issue is now resolved (requires content release version 718 or a later version). See
PAN-OS 8.0.4 Addressed Issues
.
When migrating URL categories from BrightCloud to PAN-DB, the Panorama management server does not apply the migration to pre-rules and post-rules.
PAN-75960
This issue is now resolved. See
PAN-OS 8.0.2 Addressed Issues
.
You cannot store the master key on an HSM in PAN-OS 8.0. Doing so causes the firewall to enter maintenance mode after a reboot and to require a factory reset for recovery.
PAN-75908
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
Multicast packets with stale session IDs cause the firewall dataplane to restart.
PAN-75881
This issue is now resolved. See
PAN-OS 8.0.2 Addressed Issues
.
A regression introduced in PAN-OS 8.0.0 and 8.0.1 intermittently causes the firewall dataplane to restart when combined with content updates. For details, including the relevance of content release version 709, refer to the associated Customer Advisory.
PAN-75457
(
PAN-OS 8.0.1 and later releases
) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
PAN-74886
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
The Panorama management server does not push a shared address object to firewalls when the object is part of a dynamic address group that uses a tag.
PAN-74652
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
After a firewall successfully installs a content update received from the Panorama management server, Panorama displays a failure message for that update when the associated job ID on the firewall is higher than 65536.
PAN-74632
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
The firewall does not clear IP address-to-username mappings or username-to-group mappings after reaching the limit for the number of user groups (100,000), which causes commit failures with the following errors:
user-id is not registerd
and
user-ID manager was reset. Commit is required to reinitialize User-ID.
PAN-74293
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
The firewall drops application sessions after only 30 seconds of idle traffic instead of after the session timeout associated with the application.
PAN-74139
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
On the PA-500 firewall, insufficient memory allocation causes SSL decryption errors that result in SSL session failures, and Traffic logs display the Session End Reason as
decrypt-error
or
decrypt-cert-validation
.
PAN-73964
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
You cannot upgrade VM-Series firewalls on AWS to PAN-OS 8.0.0 if they are deployed in an HA configuration.
PAN-73933
This issue is now resolved. See
PAN-OS 8.0.5 Addressed Issues
.
The log receiver (
logrcvr
) process restarts due to a memory leak after the firewall performs a log query for correlation objects or reports and the query includes the Threat Category field.
PAN-73879
This issue is now resolved (requires content release version 658 or a later version).
You cannot clone the
strict file blocking
profile in PAN-OS 8.0, although cloning the
basic file blocking
profile (or any other Security Profile types) works as expected (
Objects
Security Profiles
File Blocking
).
PAN-73877
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
On a firewall with multiple virtual systems, you cannot use the web interface to generate a SAML metadata file for Captive Portal or GlobalProtect; after you click the
Metadata
link associated with an authentication profile, no virtual systems are available to select.
Workaround:
Access the firewall CLI, switch to the virtual system where you assigned the authentication profile (
setsystem setting target-vsys
<virtual_system>
), and generate the metadata file (
show sp-metadata [captive-portal| global-protect] vsys
<value>
authprofile
<value>
ip-hostname
<value>
).
PAN-73859
This issue is now resolved. See
PAN-OS 8.0.2 Addressed Issues
.
The VM-Series firewall on Azure supports only five interfaces (one management interface and four dataplane interfaces) instead of eight (one management interface and seven dataplane interfaces).
PAN-73849
After you perform a factory reset or private data reset on a fresh installation of the Panorama virtual appliance, the
Panorama
Plugins
page does not display the pre-loaded VMware NSX plugin and therefore you cannot use the web interface to install the plugin.
Workarounds:
  • Use the
    request plugins install vmware_nsx-
    <version>
    CLI command to install the plugin.
  • Download the plugin from the Palo Alto Networks Support Portal and then upload the plugin to Panorama. The web interface then displays the plugin for you to install.
PAN-73579
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
After you upgrade a firewall to PAN-OS 8.0, the firewall does not apply updates to the predefined Palo Alto Networks malicious IP address feeds (delivered through the daily antivirus content updates) until you perform a commit on the firewall.
Workaround:
Commit changes to the firewall daily to ensure you always have the latest version of the malicious IP address feeds.
PAN-73545
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
When adding interfaces to a VM-300, VM-500, or VM-700 firewall, you must commit twice for traffic to pass normally.
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files (
Objects
Security Profiles
Data Filtering
).
PAN-73401
(
PAN-OS 8.0.1 and later releases
) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround:
There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller:
    admin@wf500(active-controller)#
    set deviceconfig cluster mode controller worker-lis
    t <worker-ip-address>
    (
    <worker-ip-address>
    is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled.
    admin@wf500(active-controller)#
    set deviceconfig cluster mode controller service-advertisement dns-service enabled yes
    or
    admin@wf500(active-controller)#
    set deviceconfig cluster mode controller service-advertisement dns-service enabled no
    Both commands result in Panorama reporting that the controller nodes are in sync.
PAN-73316
When you configure GlobalProtect to authenticate end users through RADIUS, the firewall web interface uses the
user@domain
format (instead of
domain\user
) to display users after they first log in.
Workaround:
After a HIP report is generated, the username format is normalized and updated to the correct format.
PAN-73307
When you use the
ACC
tab to view
Tunnel Activity
and you
Jump to Logs
, the Tunnel Inspection logs display
tunnel
as the tunnel type.
Workaround:
Remove tunnel type from the query in tunnel logs.
PAN-73291
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
When you set up client certificate authentication for GlobalProtect portals and gateways, you can specify a Certificate Profile with multiple certificate authority (CA) certificates that have the same common name. However, authentication fails for client certificates signed by a CA certificate that is not listed first in the Certificate Profile.
PAN-73254
This issue is now resolved. See
PAN-OS 8.0.3 Addressed Issues
.
After you install the VMware NSX plugin on Panorama in an HA deployment, Panorama does not automatically synchronize configuration changes between the HA peers unless you first update settings related to the NSX plugin.
Workaround:
Configure the NSX settings and commit your changes to Panorama.
PAN-73207
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
On a firewall that integrates with Okta Adaptive as the multi-factor authentication (MFA) vendor, you cannot use push notification as an authentication factor.
PAN-73168
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
After you configure the firewall web interface and the GlobalProtect portal that hosts Clientless VPN applications to share the same FQDN, your browser displays a
400Bad Request
error when you try to access the web interface.
Workaround:
The best practice is to configure separate FQDNs for the firewall web interface and the GlobalProtect portal that hosts Clientless VPN applications. As a short-term fix, clear the browser cache or close all browser windows and then open a separate browser window to log in to the web interface.
PAN-73006
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
When logging rates are high, the
Monitor
App Scope
Change Monitor
and
Network Monitor
reports sometimes fail to display data when you filter by
Source
or
Destination
IP addresses. Additionally, the
Monitor
App Scope
Summary
report sometimes fails to display data for the Top 5 Bandwidth Consuming Source and Top 5 Threats when logging rates are high.
PAN-72894
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
Panorama does not display HA firewalls (
Panorama
Managed Devices
) after the
configd
process stops responding.
PAN-72861
When you configure a PA-5200 Series or PA-7000 Series firewall to perform tunnel-in-tunnel inspection, which includes GRE keep-alive packets (
Policies
Tunnel Inspection
Inspection
Inspect Options
), and you run the
clear session all
CLI command while traffic is traversing a tunnel, the firewall temporarily drops tunneled packets.
PAN-72843
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
A commit failure occurs when you try to commit a configuration that enables GlobalProtect Clientless VPN on multiple GlobalProtect portals using different DNS proxies.
Workaround:
Restart the firewall dataplane and repeat the commit.
PAN-72402
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
After you configure a BGP IPv6 aggregate address with an Advertise Filter that has both a prefix filter and a next-hop filter, the firewall advertises only the aggregate address and does not advertise the specific routes that the Advertise Filter covers (
Network
Virtual Routers
<router>
BGP
Aggregate
<address>
Advertise Filters
<advertise_filter>
).
Workaround:
Remove the next-hop filter so that the firewall advertises both the aggregate address and the more specific routes. This applies only to routes learned from another BGP peer; the firewall advertises locally-injected routes as expected without this workaround.
PAN-72342
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
End users who ignore the Duo V2 authentication prompt until it times out can still authenticate successfully to a GlobalProtect portal configured for two-factor authentication.
PAN-71833
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
For a TACACS+ authentication profile, the output of the
test authentication authentication-profile
CLI command intermittently displays
authentication/authorizationfailedfor user
even though the administrator can successfully log in to the web interface or CLI using the same credentials as were specified in the test command.
PAN-71829
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
The PA-5000 Series firewall dataplane restarts when you change a certificate linked to GlobalProtect or change the minimum or maximum version of the TLS profile linked to GlobalProtect.
PAN-71765
When you use the Panorama management server to deactivate a VM-Series firewall, the deactivation completes successfully but the web interface does not update to show that deactivation is complete.
Workaround:
View deactivation status from
Panorama
Managed Devices
.
PAN-71556
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
MAC address table entries with a time-to-live (TTL) value of 0 are not removed as expected in Layer 2 deployments, which results in a table that continually grows larger in size.
Workaround:
Monitor the number of table entries and run the
clear mac all
CLI command or reboot as needed to clear the table.
PAN-71334
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
The PA-5200 Series firewall delays the transmission of audio/video streams for up to 10 seconds for VoIP calls that use Session Initiation Protocol (SIP).
PAN-71329
Local users and user groups created in the Shared location (all virtual systems) are not available for user-to-application mapping for GlobalProtect Clientless VPN applications (
Clientless VPN
Applications
on the GlobalProtect Portal).
Workaround:
Create users and user groups under a specific virtual system on firewalls with multiple virtual systems. On firewalls with a single virtual system (such as the VM-Series firewalls), users and user groups are created in Shared and are not configurable for Clientless VPN applications.
PAN-71271
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
When you start the log purging process after an upgrade to PAN-OS 8.0 but before starting the log migration, the log migration fails and the firewall drops new logs.
You cannot work around this issue when the log purging process starts before the log migration. To determine whether log purging has begun, run the
less mp-log es_purge.log
CLI command, enter a forward slash ("
/
"), enter
deleting
, and check the output. If the output indicates any matches, you cannot migrate; otherwise, you can start the migration.
PAN-71215
Using the Panorama management server to deactivate a VM-Series firewall fails and causes the firewall to become unreachable after you configure Panorama to
Verify Update Server Identity
(
Panorama
Setup
Services
Verify Update Server Identity
) and you disable this setting on the firewall (
Device
Setup
Services
).
Workaround:
Ensure that you configure both Panorama and the VM-Series firewall to
Verify Update Server Identity
before you deactivate the firewall.
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround:
Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
PAN-70353
This issue is now resolved. See
PAN-OS 8.0.2 Addressed Issues
.
GlobalProtect Clientless VPN does not work when its host is a GlobalProtect portal that you configured on an interface with
DHCP Client
enabled (
Network
Interfaces
<interface>
IPv4
).
Workaround:
Configure the interface to use
Static
IP addresses.
PAN-70323
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
Firewalls running in FIPS-CC mode display the following error when you try to import SHA-1 certificate authority (CA) certificates even when the private key is not included:
Import of
<cert name>
failed. Unsupported digest or keys used in FIPS-CC mode.
PAN-70181
This issue is now resolved. See
PAN-OS 8.0.6 Addressed Issues
.
PA-7000 Series firewalls that run a large number of scheduled daily reports (near 1,000 or more) will eventually experience a memory issue that causes CLI commands to fail and ultimately causes SSH connection attempts to the management IP address to also fail.
Workaround:
Monitor memory usage and restart the
mgmtsrvr
process when mgmtsrvr virtual memory exceeds 6GB or mgmtsrvr resident memory exceeds 4GB.
PAN-70119
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
The firewall maps users to the
Kerberos Realm
defined in authentication profiles (
Device
Authentication Profiles
) instead of extracting the realm from Kerberos tickets.
PAN-70046
A standard 404 browser error displays if you try to use GlobalProtect Clientless VPN without the correct content release version.
Workaround:
Clientless VPN requires you to install a GlobalProtect subscription on the firewall that hosts the Clientless VPN from the GlobalProtect portal. Additionally, you need GlobalProtect Clientless VPN dynamic updates to use this feature.
PAN-70027 (PLUG-216)
This issue is resolved with the VMware NSX 1.0.1 plugin.
The output of the
show objectregistered-IP all
command does not include the Source of IP tag (service profile name and ID).
PAN-70023
Authentication using auto-filled credentials intermittently fails when you access an application using GlobalProtect Clientless VPN.
Workaround:
Manually enter the credentials.
PAN-69932
This issue is now resolved. See
PAN-OS 8.0.5 Addressed Issues.
The Panorama web interface and CLI respond slowly when numerous NSX plugins are in progress.
PAN-69874
This issue is now resolved. See
PAN-OS 8.0.2 Addressed Issues
.
When the PAN-OS XML API sends user mappings with no timeout value to a firewall that has the
Enable User Identification Timeout
option disabled, the firewall assigns the mappings a timeout of 60 minutes instead of never (
Device
User Identification
User Mapping
Palo Alto Networks User-ID Agent Setup
Cache
).
PAN-69505
When viewing an external dynamic list that requires client authentication and you
Test Source URL
, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (
Objects
External Dynamic Lists
).
PAN-69367
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
The firewall incorrectly generates packet diagnostic logs and captures packets for sessions that are not part of a packet filter (
Monitor
Packet Capture
).
PAN-69340
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
When you use a license authorization code (capacity license or a bundle) to bootstrap a VM-Series firewall, the capacity license is not applied. This issue occurs because the firewall does not reboot after the license is applied.
Workaround:
Reboot the VM-Series firewall to activate session capacity (
Device
Setup
Operations
).
PAN-68974
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
On PA-3000 Series firewalls, you cannot configure a QoS Profile to have a maximum egress bandwidth (
Egress Max
) higher than 1Gbps for an aggregate group interface (
Network
Network Profiles
QoS Profile
).
PAN-68767
Panorama does not change the connection Status of an NSX manager (
Panorama
VMware NSX
Service Managers
) from
Unknown
to
Registered
due to a non-existent null value entry in the NSX manager response.
PAN-67950
The firewall drops Encapsulating Security Payload (ESP) packets because IPSec sessions remain stuck in opening status when Extended Authentication (X-Auth) is enabled (
Network
GlobalProtect
Gateways
<gateway>
Agent
Tunnel Settings
).
Workaround:
Disable X-Auth for the VPN tunnel.
PAN-67544
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
When a multicast forwarding information base (MFIB) times out, the packet processing process (
flow_ctrl
) stops responding, which intermittently causes the firewall dataplane to restart.
PAN-67422
(
PAN-OS 8.0.1 and later releases
) The Firewall re-registers with WildFire every 15 days unless a connection failure occurs. If a firewall registered with a standalone WildFire appliance and then you configure the firewall to register with a WildFire appliance cluster, the firewall shows as registered both to the cluster and to the standalone appliance, which creates duplicate entries.
To verify that a firewall is connected to a WildFire appliance and a WildFire appliance cluster, run the following command on the WildFire cluster and standalone WildFire appliance to display all firewalls registered to that cluster and appliance:
admin@Panorama>
show wildfire-appliance last-device-registration all serial-number
<value>
The
<value>
is the 12-digit serial number of the WildFire cluster controller node or the WildFire appliance. For example, to view all firewalls on a cluster whose controller node has the serial number 002001000099, run the following command:
admin@Panorama>
show wildfire-appliance last-device-registration all serial-number 002001000099
Workaround:
Run the
show wildfire global devices-reporting-data
command to show only firewalls that are reporting data to the WildFire appliance. If a firewall has not submitted a sample to the WildFire appliance during the past 24 hours, the firewall is not listed.
PAN-66997
This issue is now resolved. See
PAN-OS 8.0.2 Addressed Issues
.
On PA-7000 Series, PA-5200 Series, and PA-5000 Series firewalls, users who access applications over SSL VPN or IPSec tunnels through GlobalProtect experienced one-directional traffic.
PAN-66122
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
Firewalls do not support tunnel content inspection in a virtual-system-to-virtual-system topology.
PAN-66032
When you monitor Block IP List entries, an IP address blocked by a Vulnerability Protection profile or Anti-Spyware profile displays the Block Source to be the Threat ID (TID) and virtual system (if applicable), instead of the name of the threat that blocked the IP address. For example, the Block Source displays 41000:vsys1 (or 41000:* if there is no virtual system).
PAN-64725
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
On PA-7000 Series firewalls and on Panorama log collectors, log collection processes consume excess memory and do not process logs as expected. This issue occurs when DNS response times are slow and scheduled reports contain fields that require DNS lookups.
Workaround:
Use the
debug management-serverreport-namelookup disable
CLI command to disable DNS lookups for reporting purposes and then restart the log receiver by running
debug software restart process log-receiver
.
PAN-63905
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
Installing a content update or committing configuration changes on the firewall causes RTP sessions that were created from predict sessions to move from an active state to a discard state.
PAN-63274
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
When you configure tunnel content inspection for traffic in a shared gateway topology (the firewall has multiple virtual systems), inner flow sessions installed on dataplane 1 (DP1) will fail. Additionally, when networking devices behind the shared gateway initiate traffic, that traffic doesn't reach the networking devices behind the virtual systems.
PAN-62820
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
If you use the Apple Safari browser in Private Browsing mode to request a service or application that requires multi-factor authentication (MFA), the firewall does not redirect you to the service or application even after authentication succeeds.
PAN-62453
Entering vSphere maintenance mode on a VM-Series firewall without first shutting down the Guest OS for the agent VMs causes the firewall to shut down abruptly and causes issues that persist after the firewall is powered on again. Refer to Issue 1332563 in the VMware release notes: https://www.vmware.com/support/pubs/nsx_pubs.html.
Workaround:
VM-Series firewalls are Service Virtual Machines (SVMs) pinned to ESXi hosts and should not be migrated. Before you enter vSphere maintenance mode, use the VMware tools to ensure a graceful shutdown of the VM-Series firewall.
PAN-61840
This issue is now resolved. See
PAN-OS 8.0.1 Addressed Issues
.
The
show global-protect-portal statistics
CLI command is not supported.
PAN-61834
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
The firewall captures packets of IP addresses that are not included in the packet filter (
Monitor
Packet Capture
).
PAN-58872
The automatic license deactivation workflow for firewalls with direct internet access does not work.
Workaround:
Use the
request license deactivate key features
<name>
mode manual
CLI command to Deactivate a Feature License or SubscriptionUsingtheCLI. To Deactivate a VM, choose
Complete Manually
(instead of
Continue
) and follow the steps to manually deactivate the VM.
PAN-56217
When you configure multiple DNS proxy objects that specify for the firewall to listen for DNS requests on the same interface (
Network
DNS Proxy
Interfaces
), the firewall applies settings only for the first DNS proxy object.
Workaround:
Modify each DNS proxy object to specify a unique interface:
  • To modify a DNS proxy object that specifies only one interface, delete the DNS proxy object and reconfigure the object with an interface that is not shared among any other objects.
  • To modify a DNS proxy object configured with multiple interfaces, delete the interface that is shared with other DNS proxy objects, click
    OK
    to save the modified object, and then
    Commit
    .
PAN-55825
Performing an AutoFocus remote search that is targeted to a PAN-OS firewall or Panorama does not work correctly when the search condition contains a single or double quotation mark.
PAN-55437
High availability (HA) for VM-Series firewalls does not work in AWS regions that do not support the signature version 2 signing process for EC2 API calls. Unsupported regions include AWS EU (Frankfurt) and Korea (Seoul).
PAN-55203
When you change the reporting period for a scheduled report, such as the SaaS Application Usage PDF report, the report can have incomplete or no data for the reporting period.
Workaround:
If you need to change the reporting period for any scheduled report, create a new report for the desired time period instead of modifying the time period on an existing report.
PAN-54531
This issue is now resolved. See
PAN-OS 8.0.4 Addressed Issues
.
The firewall stops writing new Traffic and Threat logs to storage because the Automated Correlation Engine uses disk space in a way that prevents the firewall from purging older logs.
PAN-54254
In Traffic logs, the following session end reasons for Captive Portal or a GlobalProtect SSL VPN tunnel indicated the incorrect reason for session termination:
decrypt-cert-validation
,
decrypt-unsupport-param
, or
decrypt-error
.
PAN-53825
For the VM-Series NSX edition firewall, when you add or modify an NSX service profile zone on Panorama, you must perform a Panorama commit and then perform a Device Group commit with the Include Device and Network Templates option selected. To successfully redirect traffic to the VM-Series NSX edition firewall, you must perform both a
Template
and a
Device Group
commit when you modify the zone configuration to ensure that the zones are available on the firewall.
PAN-53663
When you open the SaaS Application Usage report (
Monitor
PDF Reports
SaaS Application Usage
) on multiple tabs in a browser, each for a different virtual system (vsys), and you then attempt to export PDFs from each tab, only the first request is accurate; all successive attempts will result in PDFs that are duplicates of the first report.
Workaround:
Export only one PDF at a time and wait for that export process to finish before you trigger the next export request.
PAN-53601
A Panorama management server running on an M-Series appliance cannot connect to a SafeNet Network or Thales nShield Connect hardware security module (HSM).
PAN-51969
On the NSX Manager, when you unbind an NSX Security Group from an NSX Security Policy rule, the dynamic tag and registered IP address are updated on Panorama but are not sent to the VM-Series firewalls.
Workaround:
To push the Dynamic Address Group updates to the VM-Series firewalls, you must manually synchronize the configuration with the NSX Manager (
Panorama
VMware Service Manager
and select
NSX Config-Sync
).
PAN-51952
When a security group overlap occurs in an NSX Security policy where the same security group is weighted with a higher and a lower priority value, the policy intermittently redirects traffic to the wrong service profile (VM-Series firewall instance). This issue occurs because an NSX Security policy with a higher weight does not always take precedence over a policy with a lower weight.
Workaround:
Ensure that members assigned to a security group don’t overlap with another security group and that each security group is assigned to a unique NSX Security policy rule.
PAN-51870
When using the CLI to configure the management interface as a DHCP client, the commit fails if you do not provide all four DHCP parameters in the command. For a successful commit when using the
set deviceconfig system type dhcp-client
command, you must include each of the following parameters:
accept-dhcp-domain
,
accept-dhcp-hostname
,
send-client-id
, and
send-hostname
.
PAN-51869
Canceling pending commits does not immediately remove them from the commit queue. The commits remain in the queue until PAN-OS dequeues them.
PAN-51673
BFD sessions are not established between two RIP peers when there are no RIP advertisements.
Workaround:
Enable RIP on another interface to provide RIP advertisements from a remote peer.
PAN-51216
The NSX Manager fails to redirect traffic to the VM-Series firewall when you define new Service Profile zones for NSX on the Panorama management server. This issue occurs intermittently on the NSX Manager when you define security policy rules to redirect traffic to the new service profiles that are available for traffic introspection, and results in the following error:
Firewall configuration is not in sync with NSX Manager. Conflict with Service Profile Oddhost on service (Palo Alto Networks NGFW) when binding to host
<name>
.
PAN-51122
On the VM-Series firewall, when you manually reset a heartbeat failure alarm on the vCenter server to indicate that the firewall is healthy (change color to green), the vCenter server does not trigger a heartbeat failure alarm again.
PAN-50651
On PA-7000 Series firewalls, you must configure one data port as a log card interface because the traffic and logging capabilities of this model exceed the capabilities of the management (MGT) port. A log card interface performs WildFire file-forwarding and log forwarding for syslog, email, and SNMP and these services require DNS support. If you set up a custom service route for the firewall to perform DNS queries, services using the log card interface intermittently cannot generate DNS requests. This is only an issue if you’ve configured the firewall to use a service route for DNS requests and, in this case, you must perform a workaround to enable communication between the firewall dataplane and the log card interface.
Workaround:
Enable
the firewall as a DNS proxy but don’t specify an
Interface
for the DNS proxy object to use (
Network
DNS Proxy
Interface
).
PAN-50641
This issue is now resolved. See
PAN-OS 8.0.6 Addressed Issues
.
Enabling or disabling BFD for BGP or changing a BFD profile that a BGP peer uses causes BGP to flap.
PAN-48565
The VM-Series firewall on Citrix SDX does not support jumbo frames.
PAN-48456
IPv6-to-IPv6 Network Prefix Translation (NPTv6) is not supported when configured on a shared gateway.
PAN-47969
If you log in to the Panorama management server as a Device Group and Template administrator and you rename a device group, the
Panorama
Device Groups
page no longer displays any device groups.
Workaround:
After you rename a device group, perform a commit, log out, and log back in; the page then displays the device groups with the updated values.
PAN-47073
Web pages using the HTTP Strict Transport Security (HSTS) protocol do not always display properly for end users.
Workaround:
End users must import an appropriate forward-proxy-certificate for their browsers.
PAN-46344
When you use a Mac OS Safari browser, client certificates will not work for Captive Portal authentication.
Workaround:
On a Mac OS system, instruct end users to use a different browser (for example, Mozilla Firefox or Google Chrome).
PAN-45793
On a firewall with multiple virtual systems, if you add an authentication profile to a virtual system and give the profile the same name as an authentication sequence in Shared, reference errors occur. The same errors occur if the profile is in Shared and the sequence with the same name is in a virtual system.
Workaround:
When creating authentication profiles and sequences, always enter unique names, regardless of their location. For existing authentication profiles and sequences with similar names, rename the ones that are currently assigned to configurations (for example, a GlobalProtect gateway) to ensure uniqueness.
PAN-44616
On the
ACC
Network Activity
tab, when you add the label
Unknown
as a global filter, the firewall adds the filter as
A1
and the query results display
A1
instead of
Unknown
.
PAN-44400
On a VM-Series firewall on a Citrix SDX server deployed in an active/active HA configuration, the link on a 1Gbps SFP port does not come up after successive HA failovers.
Workaround:
Use a 10Gbps SFP port instead of the 1Gbps SFP port.
PAN-44300
You cannot view WildFire analysis reports on firewalls running a PAN-OS 6.1 release that connect to a WF-500 appliance in Common Criteria mode running a PAN-OS 7.0 or later release.
PAN-43000
Vulnerability detection of SSLv3 fails when SSL decryption is enabled. This occurs when you attach a Vulnerability Protection profile (that detects SSLv3—CVE-2014-3566) to a Security policy rule and that Security policy rule and an SSL Decryption policy rule are configured on the same virtual system in the same zone. After performing SSL decryption, the firewall sees decrypted data and no longer sees the SSL version number. In this case, the SSLv3 vulnerability is not identified.
Workaround:
PAN-OS 7.0 introduced enhancements to SSL Decryption that enable you to prohibit the inherently weaker SSL/TLS versions, which are more vulnerable to attacks. For example, you can use a Decryption Profile to enforce a minimum protocol version of TLS 1.2 or you can
Block sessions with unsupported versions
to disallow unsupported protocol versions (
Objects
Decryption Profile
SSL Decryption
SSL Forward Proxy
and/or
SSL Inbound Inspection
).
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as StrongSwan.
Workaround:
Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
PAN-40714
When you access
Device
Log Settings
on a firewall running a PAN-OS 7.0 or later release and then use the CLI to downgrade the firewall to a PAN-OS 6.1 or earlier release and reboot, an error message displays the next time you access
Log Settings
. This occurs because PAN-OS 7.0 and later releases display
Log Settings
in a single page whereas PAN-OS 6.1 and earlier releases display the settings in multiple sub-pages. To clear the message, navigate to another page and return to any
Log Settings
sub-page; the error will not recur in subsequent sessions.
PAN-40130
In the WildFire Submissions logs, the email recipient address is not correctly mapped to a username when configuring LDAP group mappings that are pushed in a Panorama template.
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
PAN-40075
The VM-Series firewall on KVM running on Ubuntu 12.04 LTS does not support PCI pass-through functionality.
PAN-39728
The URL logging rate is reduced when HTTP header logging is enabled in the URL Filtering profile (
Objects
Security Profiles
URL Filtering
URL Filtering profile
Settings
).
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report. For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame.
Workaround:
To generate an on-demand report, click
Run Now
when you configure the custom report.
PAN-39501
Unused NAT IP address pools are not cleared after a single commit, so a commit fails if the combined cache of unused pools, existing used pools, and new pools exceeds the memory limit.
Workaround:
Commit a second time, which clears the old pool allocation.
PAN-38584
When you push configurations from a Panorama management server running PAN-OS 6.1 or a later release to firewalls running PAN-OS 6.0.3 or an earlier 6.0 release, the commits fail on the firewalls due to an unexpected Rule Type error. This issue is caused by the
Rule Type
setting in Security policy rules that was not included in the upgrade transform, and therefore the firewalls did not recognize the new rule types.
Workaround:
Upgrade Panorama to PAN-OS 6.1 or a later release only if you also plan to upgrade all managed firewalls running PAN-OS 6.0.3 or an earlier 6.0 release to PAN-OS 6.0.4 or a later release before pushing a configuration to the firewalls.
PAN-38255
If you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the
debugsoftware restart process management-server
CLI command.
PAN-37511
Due to a limitation related to the Ethernet chip driving the SFP+ ports, PA-5050 and PA-5060 firewalls will not perform link fault signaling as standardized when a fiber in the fiber pair is cut or disconnected.
PAN-37177
After deploying the VM-Series firewall, when the firewall connects to Panorama, you must issue a Panorama commit to ensure that Panorama recognizes the firewall as a managed device. If you reboot Panorama without committing the changes, the firewall will not connect back to Panorama; although the device group will display the list of devices, the device will not display in
Panorama
Managed Devices
.
Further, if Panorama is configured in an HA configuration, the VM-Series firewall is not added to the passive Panorama peer until the active Panorama peer synchronizes the configuration. During this time, the passive Panorama peer will log a critical message:
vm-cfg: failed to process registration from svm device. vm-state: active.
This message is logged until you commit the changes on the active Panorama, which then initiates synchronization between the Panorama HA peers and the VM-Series firewall is added to the passive Panorama peer.
Workaround:
To reestablish the connection to the managed devices, commit your changes to Panorama (click
Commit
and select Commit Type:
Panorama
). In case of an HA setup, the commit will initiate the synchronization of the running configuration between the Panorama peers.
PAN-37127
On the Panorama web interface, the Combined Rules Preview dialog (select
Policies
Security
Post Rules
and
Preview Rules
) does not display post rules and local rules for managed firewalls.
PAN-37044
Live migration of the VM-Series firewall is not supported when you enable SSL decryption using the SSL forward proxy method. Use SSL inbound inspection if you need support for live migration.
PAN-36730
(
VM-Series for NSX firewalls only
) When deleting VM-Series firewalls, all virtual machines (VMs) are deleted successfully but intermittently a few instances remain in the datastore.
Workaround:
Manually delete the VM-Series firewalls from the datastore.
PAN-36728
(
VM-Series for NSX firewalls only
) NSX Security policy does not redirect traffic from newly added guests or virtual machines to the VM-Series firewall even when the guests belong to a security group and are attached to the NSX Security policy.
Workaround:
Reapply the NSX Security policy on the NSX Manager.
PAN-36727
The VM-Series firewall fails to deploy and displays the following error message:
Invalid OVF Format in Agent Configuration.
Workaround:
Use the following command to restart the ESX Agent Manager process on the vCenter Server:
/etc/init.d/vmware-vpxd tomcat-restart.
PAN-36433
When HA failover occurs on the Panorama management server while the VMware NSX Manager is deploying the VM-Series firewall for NSX, the licensing process fails and displays the following error:
vm-cfg: failed to process registration from svm device. vm-state: active.
Workaround:
Delete the unlicensed instance of the VM-Series firewall on each ESXi host and redeploy the Palo Alto Networks next-generation firewall service from the NSX Manager.
PAN-36409
When viewing the Session Browser (
Monitor
Session Browser
), using the global refresh option (top-right corner) to update the list of sessions causes the
Filters
field to display incorrectly and clears any previously selected filters.
Workaround:
To maintain and apply selected filters to an updated list of sessions, click the green arrow to the right of the
Filters
field instead of using the global (or browser) refresh option.
PAN-36394
(
VM-Series for NSX firewalls only
) When the datastore is migrated for a guest, all current sessions are no longer steered to the VM-Series firewall. However, all new sessions are secured properly.
PAN-36393
When deploying the VM-Series firewall, the Task Console displays
Error while enabling agent.Cannotcomplete the operation. See the event log for details.
This error displays even on a successful deployment. You can ignore the message if the VM-Series firewall is successfully deployed.
PAN-36333
When you add or edit a service object, the web interface displays the incorrect port range for both source and destination ports:
1-65535
. The correct port range is
0-65535
and specifying port number 0 for either a source or destination port is successful.
PAN-36088
When an ESXi host is rebooted or shut down, the functional status of the guests is not updated. Because the IP address is not updated, the dynamic tags do not accurately reflect the functional state of the guests that are unavailable.
PAN-36049
The vCenter Server/vmtools displayed the IP address for a guest incorrectly after VLAN tags were added to an Ethernet port. The display did not accurately show the IP addresses associated with the tagged Ethernet port and the untagged Ethernet port. This issue was seen on some Linux OS versions such as Ubuntu.
PAN-35903
When you edit a traffic introspection rule on the NSX Manager (to steer traffic to the VM-Series firewall), an
invalid (tcp) port number
error or
invalid (udp) port number
error displays when you remove the destination port (TCP or UDP).
Workaround:
Delete the rule and add a new one.
PAN-35875
When defining traffic introspection rules (to steer traffic to the VM-Series firewall) on the NSX Manager, either the source or the destination for the rule must reference the name of a security group; you cannot create a rule from any to any security group.
Workaround:
To redirect all traffic to the VM-Series firewall, you must create a security group that includes all the guests in the cluster. Then you can define a security policy that redirects traffic from and to the cluster so that the firewall can inspect and enforce policy on the east-west traffic.
PAN-35874
Duplicate packets are being steered to the VM-Series firewall. This issue occurs if you enable distributed vSwitch for steering in promiscuous mode.
Workaround:
Disable promiscuous mode.
PAN-34966
On a VM-Series for NSX firewall, when adding or removing a security group (container) that is bound to a Security policy, the Panorama management server does not get a dynamic update of the added or removed security group.
Workaround:
To get the latest update, select
Panorama
VMware Service Manager
and
Synchronize Dynamic Objects
to initiate a manual synchronization.
PAN-34855
On a VM-Series for NSX firewall, Dynamic Tags (update) do not reflect the actual IP address set on the guest. This issue occurs because the vCenter Server cannot accurately view the IP address of the guest.
PAN-33316
Adding or removing ports on the SDX server after deploying the VM-Series firewall causes a configuration mismatch on the firewall. To avoid the need to reconfigure the interfaces, consider the total number of data ports that you require on the firewall and assign the relevant number of ports on the SDX server when deploying the VM-Series firewall.
For example, if you assign ports 1/3 and 1/4 on the SDX server as data interfaces on the VM-Series firewall, the ports are mapped to eth1 and eth2. If you then add port 1/1 or 1/2 on the SDX server, eth1 will be mapped to 1/1 or 1/2, eth2 will be mapped to 1/3 and eth3 to1/4. If ports 1/3 and 1/4 were set up as a virtual wire, this remapping will require you to reconfigure the network interfaces on the firewall.
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • Thales nShield Connect—The firewall requires at least four minutes to detect that an HSM has been disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network—When losing connectivity to either or both HSMs in an HA configuration, the display of information from the
    showha-status
    or
    show hsm info
    command is blocked for 20 seconds.
PAN-31593
After you configure a Panorama M-Series appliance for HA and synchronize the configuration, the Log Collector of the passive peer cannot connect to the active peer until you reboot the passive peer.
PAN-29441
The Panorama virtual appliance does not write summary logs for traffic and threats as expected after you enter the
clear log
CLI command.
Workaround:
Reboot Panorama
management server (
Panorama
Setup
Operations
) to enable summary logs.
PAN-29411
On the Panorama management server, after switching
Context
to a managed firewall, you cannot upgrade the PAN-OS software.
Workaround:
Use the
Panorama
Device Deployment
Software
page to deploy software updates to firewalls.
PAN-29385
On an M-100 appliance, you cannot configure the IP address of the management (MGT) interface while the appliance operates as the secondary passive peer in an HA pair.
Workaround:
To set the IP address for the MGT interface, suspend the active Panorama peer, promote the passive peer to active state, change the configuration, and then reset the active peer to active state.
PAN-29053
By default, the IP header of syslog messages sent from the firewall does not include the hostname. However, some syslog implementations require this field to be present.
Workaround:
Enable the firewall to include its IP address as the hostname in the syslog header by selecting
Send Hostname in Syslog
(
Device
Setup
).
PAN-28794
When the (MGT) interface on a Panorama Log Collector has an IPv4 address and you want to configure only an IPv6 address, you can use the Panorama web interface to configure the new IPv6 address but not to remove the IPv4 address.
Workaround:
On Panorama, configure the MGT interface with the new IPv6 address, push the configuration to the Log Collector, and test connectivity using the IPv6 address to ensure that you won’t lose access when you remove the IPv4 address. To remove the IPv4 address, run the
deletedeviceconfig system ip-address
CLI command on the Log Collector and commit the change.
PAN-25101
If you add a Decryption policy rule that instructs the firewall to block SSL traffic that was not previously being blocked, the firewall will continue to forward the undecrypted traffic.
Workaround:
Use the
debug dataplane resetssl-decrypt exclude-cache
command to clear the SSL decrypt exclude cache.
PAN-25046
SSH host keys used for SCP log export are stored in the known hosts file on the firewall. In an HA configuration, the SCP log export configuration is synchronized with the peer device, but the known host file is not synchronized. When a failover occurs, the SCP log export fails.
Workaround:
Log in to each peer in HA and
Test SCP server connection
to confirm the host key so that SCP log forwarding continues to work after a failover.
PAN-23732
When you use Panorama templates to schedule a log export (
Device
Scheduled Log Export
) to an SCP server, you must log in to each managed device and
Test SCP server connection
after the template is pushed. The connection is not established until the firewall accepts the host key for the SCP server.
PAN-20656
On the Panorama web interface (
Panorama
Master Key and Diagnostics
) and CLI, attempts to reset the master key fail. However, this does not cause a problem when pushing a configuration from Panorama to a firewall because the keys don’t have to match.
PAN-20162
If a client PC uses RDP to connect to a server running remote desktop services and the user logs in to the remote server with a different username, when the User-ID agent queries the Active Directory server to gather user to IP mapping from the security logs, the second username will be retrieved. For example, if UserA logs in to a client PC and then logs in to the remote server using the username for UserB, the security log on the Active Directory server will record UserA, but will then be updated with UserB. The username UserB is then picked up by the User-ID agent for the user to IP mapping information, which is not the intended user mapping.

Related Documentation