PAN-OS 8.1.0 Addressed Issues
PAN-OS® 8.1.0 addressed issues
Fixed an issue that occurred during the reboot process and caused some firewalls to go in to maintenance mode.
(PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls only) Fixed an issue where one or more dataplanes did not pass traffic when you ran several operational commands (from any firewall user interface or from the Panorama™ management server) while committing changes to device or network settings or while installing a content update.
Fixed an issue on Panorama virtual appliances for AWS in a high availability (HA) configuration where the primary peer did not synchronize template changes to the secondary peer.
Fixed an issue where PA-5200 Series firewalls rebooted when you ran the set ssh service-restart mgmt CLI command multiple times.
Fixed an issue where client connections initiated with HTTP/2 failed during SSL Inbound Inspection decryption because the firewall removed the Application-Layer Protocol Negotiation (ALPN) extension within the server hello packet instead of forwarding the extension to the client.
A security-related fix was made to prevent a local privilege escalation vulnerability that could potentially result in the deletion of files (CVE-2018-9242).
Fixed an issue where commits failed after you changed the default Size Limit to a custom value for MacOSX files that the firewall forwarded to WildFire® (DeviceSetupWildFire).
A security-related fix was made to prevent a Cross-Site Scripting (XSS) attack through the PAN-OS® session browser (CVE-2018-7636).
Fixed an issue on the Panorama management server where Device Group and Template administrators could not display or edit the DeviceLog Settings in a template.
Fixed an issue where, after you downgraded a firewall from PAN-OS 8.1 to a previous PAN-OS release and then clicked Revert Content on the Panorama management server (PanoramaDevice DeploymentDynamic Updates) the Current Version column displayed the content release version of the firewall when it ran PAN-OS 8.1 regardless of the content version currently installed on the firewall.
Fixed an issue where firewalls rebooted because the userid process restarted too often due to a socket binding failure that caused a memory leak.
Fixed an issue where the firewall could not authenticate to a hardware security module (HSM) partition when the partition password contained special characters.
Fixed an issue on Panorama management servers in an HA configuration where the Log Collector that ran locally on the passive peer did not forward logs to syslog servers.
Fixed an issue where firewalls with multiple virtual systems did not import external dynamic lists that you assigned to policy rules.
Fixed an issue where the firewall advertised the OSPF not-so-stubby area (NSSA) link-state advertisement (LSA) type 7 default route to NSSA neighbors even when the OSPF backbone area was down.
Fixed two issues on a firewall configured for GlobalProtect™ Clientless VPN:
A security-related fix was made to address a Cross-Site Scripting (XSS) vulnerability in the PAN-OS response to a GlobalProtect gateway (CVE-2018-10139).
Fixed an issue where the Panorama management server did not run ACC reports or custom reports because the reportd process stopped responding when an administrator tried to access a device group to which that administrator did not have access.
Fixed an issue where the firewall rebooted because the User-ID™ process (useridd) restarted several times when endpoints, while requesting services that could not process HTTP 302 responses (such as Microsoft update services), authenticated to Captive Portal through NT LAN Manager (NTLM) and immediately disconnected.
Fixed an issue where endpoints failed to authenticate to GlobalProtect through Kerberos when you specified the active directory (AD) FQDN instead of the AD IP address in the Kerberos server profile (DeviceServer ProfilesKerberos).
Fixed an issue on the Panorama management server where, after an administrator selected Force Template Values when editing Push Scope selections (CommitPush to Devices), the setting persisted as enabled for that administrator in all subsequent push operations instead of defaulting to disabled. With this fix, Force Template Values is disabled by default for every push operation until, and only if, the administrator manually enables the setting.
A protocol-related fix was made to address a bug in the OSPF protocol.
Fixed an issue where firewalls could not connect to M-500 or M-600 appliances in PAN-DB mode due to certificate validation failures. With this fix, the appliances add an IP address to the Subject Alternative Name (SAN) field when generating the certificates used for firewall connections.
Fixed an issue where a firewall was able connect to Panorama using an expired certificate.
Fixed an issue where SNMP managers indicated syntax errors in PAN-OS MIBs, such as forward slash (/) characters not used within quotation marks (“”). You can find the updated MIBs at https://docs.paloaltonetworks.com/misc/snmp-mibs.html.
Fixed an issue where a GlobalProtect user first logged in with a RADIUS authentication profile, the Domain-UserName appeared as user@domain (instead of domain\user) in the PAN-OS web interface.