PAN-OS 8.1.0 Addressed Issues

PAN-OS® 8.1.0 addressed issues
Issue ID
Description
PAN-92893
Fixed an issue that occurred during the reboot process and caused some firewalls to go in to maintenance mode.
PAN-92268
(PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls only) Fixed an issue where one or more dataplanes did not pass traffic when you ran several operational commands (from any firewall user interface or from the Panorama™ management server) while committing changes to device or network settings or while installing a content update.
PAN-91774
Fixed an issue on Panorama virtual appliances for AWS in a high availability (HA) configuration where the primary peer did not synchronize template changes to the secondary peer.
PAN-91429
Fixed an issue where PA-5200 Series firewalls rebooted when you ran the set ssh service-restart mgmt CLI command multiple times.
PAN-91361
Fixed an issue where client connections initiated with HTTP/2 failed during SSL Inbound Inspection decryption because the firewall removed the Application-Layer Protocol Negotiation (ALPN) extension within the server hello packet instead of forwarding the extension to the client.
PAN-90954
A security-related fix was made to prevent a local privilege escalation vulnerability that could potentially result in the deletion of files (CVE-2018-9242).
PAN-90842
Fixed an issue where commits failed after you changed the default Size Limit to a custom value for MacOSX files that the firewall forwarded to WildFire® (DeviceSetupWildFire).
PAN-90835
A security-related fix was made to prevent a Cross-Site Scripting (XSS) attack through the PAN-OS® session browser (CVE-2018-7636).
PAN-90521
Fixed an issue on the Panorama management server where Device Group and Template administrators could not display or edit the DeviceLog Settings in a template.
PAN-90168
Fixed an issue where, after you downgraded a firewall from PAN-OS 8.1 to a previous PAN-OS release and then clicked Revert Content on the Panorama management server (PanoramaDevice DeploymentDynamic Updates) the Current Version column displayed the content release version of the firewall when it ran PAN-OS 8.1 regardless of the content version currently installed on the firewall.
PAN-89471
Fixed an issue where firewalls rebooted because the userid process restarted too often due to a socket binding failure that caused a memory leak.
PAN-89030
Fixed an issue where the firewall could not authenticate to a hardware security module (HSM) partition when the partition password contained special characters.
PAN-88292
Fixed an issue on Panorama management servers in an HA configuration where the Log Collector that ran locally on the passive peer did not forward logs to syslog servers.
PAN-88200
Fixed an issue where firewalls with multiple virtual systems did not import external dynamic lists that you assigned to policy rules.
PAN-86873
Fixed an issue where the firewall advertised the OSPF not-so-stubby area (NSSA) link-state advertisement (LSA) type 7 default route to NSSA neighbors even when the OSPF backbone area was down.
PAN-85410
Fixed two issues on a firewall configured for GlobalProtect™ Clientless VPN:
  • The firewall dataplane restarted when client cookies contained a path that did not start with a forward slash (/).
  • The firewall did not properly reinitialize client cookies that had a missing path and domain and instead used values from previously received cookies.
PAN-84836
A security-related fix was made to address a Cross-Site Scripting (XSS) vulnerability in the PAN-OS response to a GlobalProtect gateway (CVE-2018-10139).
PAN-83900
Fixed an issue where the Panorama management server did not run ACC reports or custom reports because the reportd process stopped responding when an administrator tried to access a device group to which that administrator did not have access.
PAN-82942
Fixed an issue where the firewall rebooted because the User-ID™ process (useridd) restarted several times when endpoints, while requesting services that could not process HTTP 302 responses (such as Microsoft update services), authenticated to Captive Portal through NT LAN Manager (NTLM) and immediately disconnected.
PAN-81521
Fixed an issue where endpoints failed to authenticate to GlobalProtect through Kerberos when you specified the active directory (AD) FQDN instead of the AD IP address in the Kerberos server profile (DeviceServer ProfilesKerberos).
PAN-81417
Fixed an issue on the Panorama management server where, after an administrator selected Force Template Values when editing Push Scope selections (CommitPush to Devices), the setting persisted as enabled for that administrator in all subsequent push operations instead of defaulting to disabled. With this fix, Force Template Values is disabled by default for every push operation until, and only if, the administrator manually enables the setting.
PAN-80794
A protocol-related fix was made to address a bug in the OSPF protocol.
PAN-80569
Fixed an issue where firewalls could not connect to M-500 or M-600 appliances in PAN-DB mode due to certificate validation failures. With this fix, the appliances add an IP address to the Subject Alternative Name (SAN) field when generating the certificates used for firewall connections.
PAN-80505
Fixed an issue where a firewall was able connect to Panorama using an expired certificate.
PAN-75775
Fixed an issue where SNMP managers indicated syntax errors in PAN-OS MIBs, such as forward slash (/) characters not used within quotation marks (“”). You can find the updated MIBs at https://docs.paloaltonetworks.com/misc/snmp-mibs.html.
PAN-73316
Fixed an issue where a GlobalProtect user first logged in with a RADIUS authentication profile, the Domain-UserName appeared as user@domain (instead of domain\user) in the PAN-OS web interface.

Related Documentation