PAN-OS 8.1.1 Addressed Issues

PAN-OS® 8.1.1 addressed issues
Issue ID
Description
WF500-4599
Fixed an issue on WF-500 appliance clusters where attempts to submit samples for analysis through the WildFire XML API failed with a 499 or 502 error in the HTTP response when the local worker was fully loaded.
WF500-4535
Fixed an issue where the WF-500 appliance couldn’t forward logs over TCP or SSL to a syslog server.
WF500-4473
Fixed an issue where the root partition on the WF-500 appliance reached its maximum storage capacity because the following log files had no size limit and grew continuously: appweb_access.log, trap-access.log, wpc_build_detail.log, rsyncd.log, cluster-mgr.log, and cluster-script.log. With this fix, the appweb_access.log, trap-access.log, and wpc_build_detail.log logs have a limit of 10MB and the WF-500 appliance maintains one rotating backup file for each of these logs to store old data when a log exceeds the limit. Also with this fix, the rsyncd.log, cluster-mgr.log, and cluster-script.log logs have a limit of 5MB and the WF-500 appliance maintains eight rotating backup files for each of these logs.
WF500-4397
Fixed an issue in a WF-500 appliance cluster where the controller backup node was stuck in global-db-service: WaitingforLeaderReady status when you tried to add nodes to the cluster.
WF500-4363
Fixed an issue where firewalls and Panorama management servers couldn’t retrieve reports from a WF-500 appliance due to an interruption in its data migration after you upgraded the appliance from a PAN-OS 7.1 release to a PAN-OS 8.0 or later release. With this fix, you can run the new debug device data-migration show CLI command on the WF-500 appliance after each upgrade to verify data migration finished successfully (output is Migration in MySQL is successful). Don't perform additional upgrades on the WF-500 appliance until the data migration finishes.
PAN-95536
Fixed an issue where Dedicated Log Collectors failed to forward logs to syslog servers.
PAN-95504
Fixed an issue on the firewall and Panorama management server where the web interface became unresponsive because the management server process (mgmtsrvr) restarted after you set its debugging level to debug (through the debug management-server on debug CLI command).
PAN-95288
Fixed an issue where the firewall web interface didn't display System logs (MonitorLogsSystem) after you upgraded to PAN-OS 8.1 and then logged in using an administrative account that existed before the upgrade.
PAN-94845
Fixed an issue where App-ID didn’t recognize GPRS Tunneling Protocol User Plane (GTP-U) in GTP messages on port 2152 when only single-direction message packets arrived (Traffic logs indicated application insufficient-data).
PAN-94741
Fixed an issue on the Panorama management server where characters in the Secret string of a TACACS+ server profile changed on the firewall after you pushed the server profile configuration from a template stack (DeviceServer ProfilesTACACS+).
PAN-94700
Fixed an issue on the PA-200, PA-220, PA-220R, PA-500, and PA-800 Series firewalls where the GlobalProtect data file installation failed after you upgraded the firewall to PAN-OS 8.1.
PAN-94661
Fixed an issue where the firewall and Panorama management server displayed policy rules in a jumbled order when you scrolled the rule list in the Policies tab. The firewall and Panorama also opened the wrong rule for editing when you double-clicked one.
PAN-94640
Fixed an issue where System logs included the following debugging information even though the firewall successfully resolved IP addresses: Failed to resolve domain name:xxx.yyy.zz after trying all attempts to name servers: A.B.C.D, W.X.Y.Z. With this fix, daemon logs include that debugging information instead of System logs.
PAN-94633
Fixed an issue where, after upgrading the firewall to PAN-OS 8.1, LDAP authentication failed if the associated authentication profile had an Allow List with entries other than All (DeviceAuthentication Profile).
PAN-94569
Fixed an issue where GlobalProtect client authentication failed after you entered domains in upper case characters in the Allow List of an authentication profile (DeviceAuthentication Profile<authentication_profile>Advanced).
PAN-94445
Fixed an issue where Server Message Block (SMB) sessions were in a discard state with the session end reason resources-unavailable.
PAN-94387
Fixed an issue where the Check URL Category link in URL Filtering profiles opened a page that displayed a page not found error instead of opening the web page used to check the PAN-DB URL Filtering database for the URL Filtering category of a URL (ObjectsSecurity ProfilesURL Filtering).
PAN-94386
Fixed an issue where the firewall dropped packet data protocol (PDP) context update and delete messages that had a tunnel endpoint identifier (TEID) of zero in GPRS Tunneling Protocol (GTP) traffic, and the traffic failed when the dropped messages were valid.
PAN-94379
Fixed an issue in a Panorama deployment with a Collector Group containing multiple Log Collectors where the logging search engine restarted after you changed the SSH keys used for high availability (HA). The disruption to the search engine caused an out-of-memory condition and caused Panorama to display logs and report data from only one Log Collector in the Collector Group.
PAN-94317
Fixed the following LDAP authentication issues:
  • Authentication failed for users who belonged to user groups for which you specified LDAP short names instead of long names in the Allow List of an authentication profile (DeviceAuthentication Profile).
  • When performing LDAP lookups based on entries in the Allow List of LDAP authentication profiles, the firewall treated unknown group names as usernames.
  • Authentication failed for users who belonged to multiple groups that you entered in the Allow List of different LDAP authentication profiles.
PAN-94288
Fixed an issue where the default view and maximized view of the Application Usage report (ACCNetwork Activity) didn't display matching values when you set the Time to Last 12 Hrs or a longer period.
PAN-94170
Fixed an issue where GTP traffic failed because the firewall dropped GTP-U echo request packets.
PAN-94135
Fixed an issue where device monitoring did not work on the Panorama management server.
PAN-93930
Fixed an issue on firewalls with SSL decryption configured where the dataplane restarted because the all_pktproc process stopped responding after decryption errors occurred.
PAN-93865
Fixed an issue where the GlobalProtect agent couldn't split tunnel applications based on the destination domain because the Include Domain and Exclude Domain lists were not pushed to the agent after the user established the GlobalProtect connection (NetworkGlobalProtectGatewaysgateway>AgentClient Settingsclient_settings_configuration>Split TunnelDomain and Application). In addition, the GlobalProtect agent couldn't include applications in the VPN tunnel based on the application process name because the Include Client Application Process Name list was not pushed to the agent after the user established the GlobalProtect connection.
PAN-93854
Fixed an issue where the VM-Series firewall for NSX randomly disrupted traffic due to high CPU usage by the pan_task process.
PAN-93640
Fixed an issue on firewalls where the Log Collector preference list displayed the IP address as unknown for a Panorama Log Collector deployed on AWS if the interface (ethernet1/1 to ethernet1/5) used for sending logs did not have a public IP address configured and you pushed configurations to the Collector Group.
PAN-93431
Fixed an issue where the Panorama management server failed to export Traffic logs as a CSV file (MonitorLogsTraffic) after you set the Max Rows in CSV Export to more than 500,000 rows (PanoramaSetupManagementLogging and Reporting SettingsLog Export and Reporting).
PAN-93430
Fixed an issue where the firewall web interface didn't display Host Information Profile (HIP) information in HIP Match logs for end users who had Microsoft-supported special characters in their domains or usernames.
PAN-93336
Fixed an issue where the firewall intermittently became unresponsive because the management server process (mgmtsrvr) stopped responding during a commit after you configured policy rules to use external dynamic lists (EDLs).
PAN-93106
Fixed an issue where the Google Chrome browser displayed certificate warnings for self-signed ECDSA certificates that you generated on the firewall.
PAN-93090
Fixed an issue where the GCP DHCP Server took 30-50 seconds to respond to a DHCP discover request, causing DHCP IP assignments to fail.
PAN-93089
A security-related fix was made to prevent denial of service (DoS) to the management web interface (CVE-2018-8715).
PAN-93072
Fixed an issue on hardware firewalls that were decrypting SSL traffic where multiple commits in a short period of time caused the firewalls to become unresponsive.
PAN-93052
Fixed an issue where IPv6 BGP peering persisted (not all BGP routes were withdrawn) after the associated firewall interface went down.
PAN-92950
Fixed an issue where a Panorama appliance experienced memory depletion after allowing you to mistakenly enter the IP address of the appliance when using the set deviceconfig system panorama-server <IP_address> or set log-collector <Log_Collector> deviceconfig system configuration mode CLI commands. These commands enable connectivity with separate appliances. With this fix, the command displays an error message when you specify the IP address of the appliance on which you run the command instead of the appliance to which it must connect. The correct IP address depends on the type of appliance on which you run the command:
  • Panorama management server in an HA configuration—Specify the IP address of the Panorama HA peer.
  • Dedicated Log Collector—Specify the IP addresses of the Panorama management servers, where panorama-server specifies the primary HA Panorama (or the only Panorama in a non-HA configuration) and panorama-server-2 specifies the secondary HA Panorama: set log-collector <Log_Collector> deviceconfig system {panorama-server | panorama-server-2} <IP_address>.
PAN-92944
Fixed an issue where the firewall assigned the wrong URL filtering category to traffic that contained a malformed host header. With this fix, the firewall enables the blocking of any traffic with a malformed URL.
PAN-92858
Fixed an issue where the Panorama management server could not generate reports and the ACC page became unresponsive when too many heartbeats were missed because Panorama never cleared reportIDs greater than 65535.
PAN-92445
Fixed an issue where the Panorama management server didn't display log data in MonitorLogs, the ACC tab, or reports when Panorama was in a different timezone than the Dedicated Log Collectors because Panorama applied the wrong time filter.
PAN-92082
Fixed an issue where the firewall didn't generate URL Filtering logs for user credential submissions associated with a URL that was not a container page after you selected Log container page only and set the User Credential Submission action to alert for the URL category in a URL Filtering profile (ObjectsSecurity ProfilesURL Filtering<ULR_Filtering_profile>). With this fix, the firewall generates URL Filtering logs for user credential submissions regardless of whether you enable Log container page only in the URL Filtering profile.
PAN-92789
Fixed an issue where VM-Series firewalls deleted logs by reinitializing the logging disk when the periodic file system integrity check (FSCK) took over 30 minutes during bootup.
PAN-92788
Fixed an issue where the PAN-OS XML API returned the same job IDs for all report jobs on the firewall. With this fix, the PAN-OS XML API returns the correct job ID for each report job.
PAN-92738
Fixed an issue on the Panorama management server where administrators with read-only privileges couldn’t view deployment Schedules for content updates (PanoramaDevice DeploymentDynamic Updates).
PAN-92678
Fixed an issue on Panorama management servers in an HA configuration where, after failover caused the secondary HA peer to become active, it failed to deploy scheduled dynamic updates to Log Collectors and firewalls.
PAN-92604
Fixed an issue where a Panorama Collector Group didn’t forward logs to some external servers after you configured multiple server profiles (PanoramaCollector Groups<Collector_Group>Collector Log Forwarding).
PAN-92564
Fixed an issue where a small percentage of writable third-party SFP transceivers (not purchased from Palo Alto Networks®) stopped working or experienced other issues after you upgraded the firewall to which the SFPs are connected to a PAN-OS 8.1 release. With this fix, you must not reboot the firewall after you download and install the PAN-OS 8.1 base image until after you download and install the PAN-OS 8.1.1 release. For additional details, upgrade considerations, and instructions for upgrading your firewalls, refer to the PAN-OS 8.1 upgrade information.
PAN-92560
Fixed an issue where SSL Forward Proxy decryption didn’t work after you excluded every predefined Hostname from decryption (DeviceCertificate ManagementSSL Decryption Exclusion).
PAN-92487
Fixed an issue where enabling jumbo frames (DeviceSetupSession) reduced throughput because:
  • The firewalls hardcoded the maximum segment size (TCP MSS) within TCP SYN packets and in server-to-client traffic at 1,460 bytes when packets exceed that size. With this fix, the firewalls no longer hardcode the TCP MSS value for TCP sessions.
  • PA-7000 Series and PA-5200 Series firewalls hardcoded the maximum transmission unit (MTU) at 1,500 bytes for the encapsulation stage when tunneled clear-text traffic and the originating tunnel session were on different dataplanes. With this fix, the firewalls use the MTU configured for the interface (NetworkInterfaces<interface>AdvancedOther Info) instead of hardcoding the MTU at 1,500 bytes.
PAN-92380
Fixed an issue where, when you tried to export a custom report, and your Chrome or Firefox browser was configured to block popup windows, the firewall instead downloaded a Tech Support File to your client system.
PAN-92256
Fixed an issue where the firewall didn't Block sessions with unsupported cipher suites based on Decryption policy rules for SSL Inbound Inspection when the rules referenced a Decryption Profile with a list of allowed ciphers that didn't match the ciphers that the destination server specified (ObjectsDecryptionDecryption Profile). With this fix, the firewall checks the ciphers of both the source client and destination server against the cipher list in Decryption profiles when evaluating whether to allow sessions based on Decryption policy.
PAN-92251
Fixed an issue where VM-Series firewalls used the incorrect MAC address in DHCP messages initiated from a subinterface after you configured that subinterface as a DHCP Client (NetworkInterfacesEthernet<subinterface>IPv4) and disabled the Use Hypervisor Assigned MAC Address option (DeviceManagementSetup).
PAN-92163
Fixed an issue where firewalls in an active/passive HA configuration took longer than expected to fail over after you configured them to redistribute routes between an interior gateway protocol (IGP) and Border Gateway Protocol (BGP).
PAN-92152
Fixed an issue where the firewall web interface displayed a blank DeviceLicenses page when you had 10 x 5 phone support.
PAN-91946
Fixed an issue where the Panorama management server intermittently did not refresh health data for managed firewalls (PanoramaManaged DevicesHealth) and therefore displayed 0 for session statistics.
PAN-91945
Fixed an issue where the firewall didn't generate a System log to indicate when the reason that end users couldn’t authenticate to a GlobalProtect portal was a DNS resolution failure for the FQDNs in a RADIUS server profile (DeviceServer ProfilesRADIUS).
PAN-91809
Fixed an issue on VM-Series firewalls for Azure where, after the firewall rebooted, some interfaces configured as DHCP clients intermittently did not receive DHCP-assigned IP addresses.
PAN-91776
Fixed an issue where endpoint users could not authenticate to GlobalProtect when specifying a User Domain with Microsoft-supported symbols such as the dollar symbol ($) in the authentication profile (DeviceAuthentication Profile).
PAN-91597
As an enhancement to improve security for the firewall, the management (MGT) interface now includes the following HTTP security headers: X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy.
PAN-91591
Fixed an issue where the GlobalProtect agent failed to establish a TCP connection with the GlobalProtect gateway when TCP SYN packets had unsupported congestion notification flag bits set (ECN or CWR).
PAN-91564
A security-related fix was made to prevent a local privilege escalation vulnerability that allowed administrators to access the password hashes of local users (CVE-2018-9334).
PAN-91559
Fixed an issue where PA-5200 Series firewalls caused slow traffic over IPSec VPN tunnels because the firewalls reordered TCP segments during IPSec encryption.
PAN-91429
Fixed an issue where PA-5200 Series firewalls rebooted when you ran the set ssh service-restart mgmt CLI command multiple times.
PAN-91370
Fixed an issue where the firewall dropped IPv6 traffic while enforcing IPv6 bidirectional NAT policy rules because the firewall incorrectly translated the destination address for a host that resided on a directly attached network.
PAN-91360
Fixed an issue where, in rare cases, the firewall couldn't establish connections with GlobalProtect agents because the rasmgr process stopped responding when hundreds of end users logged in and out of GlobalProtect at the same time.
PAN-91254
Fixed an issue where end user accounts were locked out after you configured authentication based on a RADIUS server profile with multiple servers (DeviceServer ProfilesRADIUS) and enabled the gateway to Retrieve Framed-IP-Address attribute from authentication server (NetworkGlobalProtectGateways<gateway>AgentClient Settings<client_settings_configuration>IP Pools). With this fix, instead of requesting framed IP addresses from all the servers in a RADIUS server profile at the same time, the firewall sends the request to only one server at a time until one of the servers responds.
PAN-90824
An enhancement was made to improve compatibility for the HTTP log forwarding feature so that you can specify the TLS version that the HTTP log forwarding feature uses to connect to the HTTP server.
To specify the version, use the debug system https-settings tls-version CLI command. (To view the version that is currently specified, use the debug system https-settings command.)
PAN-90753
Fixed an issue where firewalls in an active/passive HA configuration didn’t synchronize multicast sessions between the firewall HA peers.
PAN-90448
Fixed an issue where PA-7000 Series and PA-5200 Series firewalls didn't properly Rematch all sessions on config policy change for offloaded sessions (DeviceSetupSession).
PAN-90411
Fixed an issue where PA-5200 Series firewalls didn’t forward buffered logs to Panorama Log Collectors after connectivity between the firewalls and Log Collectors was disrupted and then restored.
PAN-90404
Fixed an issue where the Panorama management server intermittently displayed the connections among Log Collectors as disconnected after pushing configurations to a Collector Group (PanoramaManaged Collectors).
PAN-90347
Fixed an issue on a PA-5000 Series firewall configured to use an IPSec tunnel containing multiple proxy IDs (NetworkIPSec Tunnels<tunnel>Proxy IDs) where the firewall dropped tunneled traffic after clear text sessions were established on a different dataplane than the first dataplane (DP0).
PAN-90190
Fixed an issue on the Panorama virtual appliance on a VMware ESXi server where VMware Tools failed to start after you upgraded to PAN-OS 8.1.
PAN-90143
Fixed an issue where administrators intermittently failed to log in to the firewall because it intermittently restarted processes continuously due to an out-of-memory condition.
PAN-90048
Fixed an issue where automatic commits failed after you configured Security policy rules that referenced region objects for the source or destination and then upgraded the PAN-OS software.
PAN-89992
Fixed an issue where the firewall didn’t efficiently handle traffic in which the number of Address Resolution Protocol (ARP) packets exceeded the processing capacity of the firewall. With this fix, the firewall handles ARP packets more efficiently.
PAN-89748
Fixed an issue on the Panorama virtual appliance for Azure where commit operations failed after you added administrator accounts other than the default admin account, switched from Panorama mode to Log Collector mode, made configuration changes, and then tried to commit your changes. With this fix, Panorama removes all administrator accounts other than the default admin account when you switch to Log Collector mode. Dedicated Log Collectors support only the default admin account.
PAN-89715
Fixed an issue on PA-5200 Series firewalls in an active/passive HA configuration where failover took a few seconds longer than expected when it was triggered after the passive firewall rebooted.
PAN-89525
Fixed a configuration parsing issue where a default setup of the Authentication Profile caused the firewall to reboot during commit. If the administrator configured the Authentication Profile with any allowed values, including the default values, the configuration committed successfully. The issue was observed on a PA-500 firewall in FIPS-CC mode.
PAN-89171
Fixed an issue on firewalls in an HA configuration where an auto-commit failed (the error message was Error: Duplicate user name) after you connected a new suspended-secondary peer to an active-primary peer.
PAN-88852
Fixed an issue where VM-Series firewalls stopped displaying URL Filtering logs after you configured a URL Filtering profile with an alert action (ObjectsSecurity ProfilesURL Filtering).
PAN-88752
Fixed an issue where User-ID agents configured to detect credential phishing didn’t detect passwords that contained a blank space.
PAN-88649
Fixed an issue where, after receiving machine account names in UPN format from a Windows-based User-ID agent, the firewall misidentified them as user accounts and overrode usernames with machine names in IP address-to-username mappings.
PAN-88428
Fixed an issue where the VM-Series firewall incorrectly displayed network interfaces as having a Link Speed of 1000 and a Link Duplex set to half when the actual values were different (NetworkInterfaces<interface>Advanced).
PAN-87964
Fixed an issue where the firewall couldn't render URL content for end users after you configured GlobalProtect Clientless VPN with a Hostname set to a Layer 3 subinterface or VLAN interface (NetworkGlobalProtectPortals<portal>Clientless VPNGeneral).
PAN-87309
Fixed an issue where, after you configured a GlobalProtect gateway to exclude all video streaming traffic from the VPN tunnel, Hulu and Sling TV traffic could not be redirected if you did not configure any security profiles (such as a File Blocking profile) for your firewall Security policies.
PAN-86934
Fixed an issue where the firewall applied case sensitivity to the names of shared user groups that were defined in its local database and, as a result, users who belonged to those groups couldn't access applications through GlobalProtect Clientless VPN even after successful authentication. With this fix, the firewall ignores character case when evaluating the names of user groups in its local database.
PAN-86076
As an enhancement to improve security for GlobalProtect deployments, the GlobalProtect portal now includes the following HTTP security headers in responses to end user login requests: X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy.
PAN-86028
Fixed an issue in an HA active/active configuration where traffic in a GlobalProtect VPN tunnel in SSL mode failed after Layer 7 processing if asymmetric routing was involved.
PAN-85308Fixed an issue in the output for on-demand custom reports (select MonitorManage Custom Reports<report> and Run Now) where the <column_heading> drop-down displayed a Columns option even though you couldn't add or remove columns. With this fix, the <column_heading> drop-down no longer displays a Columns option.
PAN-83001
Fixed an issue where the firewall dropped packets based on a QoS class even though traffic didn’t exceed the maximum bandwidth for that class.
PAN-81495
Fixed an issue where connections that the firewall handles as an Application Level Gateway (ALG) service were disconnected when destination NAT and decryption were enabled.
PAN-80664
Fixed an issue where, after end users who haven't yet enrolled in Duo failed to authenticate to a GlobalProtect portal that used a RADIUS server integrated with Duo for multi-factor authentication, the portal login page displayed Invalid username or password as the authentication error instead of displaying a Duo enrollment URL so that the users could enroll.

Related Documentation