PAN-OS 8.1.0 Addressed Issues

PAN-OS® 8.1.0 addressed issues
Issue ID
Fixed an issue that occurred during the reboot process and caused some firewalls to go in to maintenance mode.
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls only
) Fixed an issue where one or more dataplanes did not pass traffic when you ran several operational commands (from any firewall user interface or from the Panorama™ management server) while committing changes to device or network settings or while installing a content update.
Fixed an issue on Panorama virtual appliances for AWS in a high availability (HA) configuration where the primary peer did not synchronize template changes to the secondary peer.
Fixed an issue where PA-5200 Series firewalls rebooted when you ran the
set ssh service-restart mgmt
CLI command multiple times.
Fixed an issue where client connections initiated with HTTP/2 failed during SSL Inbound Inspection decryption because the firewall removed the Application-Layer Protocol Negotiation (ALPN) extension within the server hello packet instead of forwarding the extension to the client.
Fixed an issue where the Panorama management server did not display new logs collected on M-Series Log Collectors because the logging search engine did not register during system startup when logging disk checks and RAID mounting took longer than two hours to complete.
A security-related fix was made to prevent a local privilege escalation vulnerability that could potentially result in the deletion of files (CVE-2018-9242).
Fixed an issue where commits failed after you changed the default
Size Limit
to a custom value for MacOSX files that the firewall forwarded to WildFire® (
A security-related fix was made to prevent a Cross-Site Scripting (XSS) attack through the PAN-OS® session browser (CVE-2018-7636).
Fixed an issue on the Panorama management server where Device Group and Template administrators could not display or edit the
Log Settings
in a template.
Fixed an issue where, after you downgraded a firewall from PAN-OS 8.1 to a previous PAN-OS release and then clicked
Revert Content
on the Panorama management server (
Device Deployment
Dynamic Updates
) the Current Version column displayed the content release version of the firewall when it ran PAN-OS 8.1 regardless of the content version currently installed on the firewall.
Fixed an issue where firewalls rebooted because the userid process restarted too often due to a socket binding failure that caused a memory leak.
Fixed an issue where the firewall could not authenticate to a hardware security module (HSM) partition when the partition password contained special characters.
Fixed an issue on Panorama management servers in an HA configuration where the Log Collector that ran locally on the passive peer did not forward logs to syslog servers.
Fixed an issue where firewalls with multiple virtual systems did not import external dynamic lists that you assigned to policy rules.
Fixed an issue on Panorama M-Series and virtual appliances where the firewall was not able to override the local device configuration and failed to apply Dynamic Updates with an interval set to
Fixed an issue where the firewall advertised the OSPF not-so-stubby area (NSSA) link-state advertisement (LSA) type 7 default route to NSSA neighbors even when the OSPF backbone area was down.
Fixed two issues on a firewall configured for GlobalProtect™ Clientless VPN:
  • The firewall dataplane restarted when client cookies contained a path that did not start with a forward slash (/).
  • The firewall did not properly reinitialize client cookies that had a missing path and domain and instead used values from previously received cookies.
A security-related fix was made to address a Cross-Site Scripting (XSS) vulnerability in the PAN-OS response to a GlobalProtect gateway (CVE-2018-10139).
Fixed an issue where VM-Series firewalls in a high availability (HA) configuration with Data Plane Development Kit (DPDK) enabled experienced HA path monitoring failures and (in active/passive deployments) HA failover.
Fixed an issue where the Panorama management server did not run
reports or custom reports because the reportd process stopped responding when an administrator tried to access a device group to which that administrator did not have access.
Fixed an issue where the firewall rebooted because the User-ID™ process (useridd) restarted several times when endpoints, while requesting services that could not process HTTP 302 responses (such as Microsoft update services), authenticated to Captive Portal through NT LAN Manager (NTLM) and immediately disconnected.
Fixed an issue on the Panorama management server where, after an administrator selected
Force Template Values
when editing Push Scope selections (
Push to Devices
), the setting persisted as enabled for that administrator in all subsequent push operations instead of defaulting to disabled. With this fix,
Force Template Values
is disabled by default for every push operation until, and only if, the administrator manually enables the setting.
A protocol-related fix was made to address a bug in the OSPF protocol.
Fixed an issue where firewalls could not connect to M-500 or M-600 appliances in PAN-DB mode due to certificate validation failures. With this fix, the appliances add an IP address to the Subject Alternative Name (SAN) field when generating the certificates used for firewall connections.
Fixed an issue where a firewall was able connect to Panorama using an expired certificate.
Fixed an issue where SNMP managers indicated syntax errors in PAN-OS MIBs, such as forward slash (/) characters not used within quotation marks (“”). You can find the updated MIBs at
Fixed an issue where a GlobalProtect user first logged in with a RADIUS authentication profile, the Domain-UserName appeared as user@domain (instead of domain\user) in the PAN-OS web interface.
Fixed an issue on the Panorama management server where commit operations stopped progressing after reaching 99 per cent completion.

Recommended For You