PAN-OS 8.1.1 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 8.1.1 Addressed Issues
PAN-OS® 8.1.1 addressed issues
Issue ID | Description |
---|---|
WF500-4599 | Fixed an issue on WF-500 appliance clusters
where attempts to submit samples for analysis through the WildFire
XML API failed with a 499 or 502 error in the HTTP response when
the local worker was fully loaded. |
WF500-4535 | Fixed an issue where the WF-500 appliance
couldn’t forward logs over TCP or SSL to a syslog server. |
WF500-4473 | Fixed an issue where the root partition
on the WF-500 appliance reached its maximum storage capacity because
the following log files had no size limit and grew continuously:
appweb_access.log, trap-access.log, wpc_build_detail.log, rsyncd.log,
cluster-mgr.log, and cluster-script.log. With this fix, the appweb_access.log,
trap-access.log, and wpc_build_detail.log logs have a limit of 10MB
and the WF-500 appliance maintains one rotating backup file for
each of these logs to store old data when a log exceeds the limit.
Also with this fix, the rsyncd.log, cluster-mgr.log, and cluster-script.log
logs have a limit of 5MB and the WF-500 appliance maintains eight
rotating backup files for each of these logs. |
WF500-4397 | Fixed an issue in a WF-500 appliance cluster
where the controller backup node was stuck in global-db-service: WaitingforLeaderReady status
when you tried to add nodes to the cluster. |
WF500-4363 | Fixed an issue where firewalls and Panorama
management servers couldn’t retrieve reports from a WF-500 appliance
due to an interruption in its data migration after you upgraded
the appliance from a PAN-OS 7.1 release to a PAN-OS 8.0 or later
release. With this fix, you can run the new debug device data-migration show CLI command
on the WF-500 appliance after each upgrade to verify data migration
finished successfully (output is Migration inMySQL is successful).
Don't perform additional upgrades on the WF-500 appliance until
the data migration finishes. |
PAN-95536 | Fixed an issue where Dedicated Log Collectors
failed to forward logs to syslog servers. |
PAN-95504 | Fixed an issue on the firewall and Panorama
management server where the web interface became unresponsive because
the management server process (mgmtsrvr) restarted
after you set its debugging level to debug (through
the debug management-server on debug CLI command). |
PAN-95288 | Fixed an issue where the firewall web interface
didn't display System logs (MonitorLogsSystem) after
you upgraded to PAN-OS 8.1 and then logged in using an administrative
account that existed before the upgrade. |
PAN-94845 | Fixed an issue where App-ID didn’t recognize
GPRS Tunneling Protocol User Plane (GTP-U) in GTP messages on port
2152 when only single-direction message packets arrived (Traffic
logs indicated application insufficient-data). |
PAN-94741 | Fixed an issue on the Panorama management
server where characters in the Secret string
of a TACACS+ server profile changed on the firewall after you pushed
the server profile configuration from a template stack (DeviceServer ProfilesTACACS+). |
PAN-94700 | Fixed an issue on the PA-200, PA-220, PA-220R,
PA-500, and PA-800 Series firewalls where the GlobalProtect data
file installation failed after you upgraded the firewall to PAN-OS
8.1. |
PAN-94661 | Fixed an issue where the firewall and Panorama
management server displayed policy rules in a jumbled order when
you scrolled the rule list in the Policies tab.
The firewall and Panorama also opened the wrong rule for editing
when you double-clicked one. |
PAN-94640 | Fixed an issue where System logs included
the following debugging information even though the firewall successfully
resolved IP addresses: Failed to resolve domain name:xxx.yyy.zzafter trying all attempts to name servers: A.B.C.D, W.X.Y.Z.
With this fix, daemon logs include that debugging information instead
of System logs. |
PAN-94633 | Fixed an issue where, after upgrading the
firewall to PAN-OS 8.1, LDAP authentication failed if the associated
authentication profile had an Allow List with
entries other than All (DeviceAuthentication Profile). |
PAN-94569 | Fixed an issue where GlobalProtect client
authentication failed after you entered domains in upper case characters
in the Allow List of an authentication profile (DeviceAuthentication Profile<authentication_profile>Advanced). |
PAN-94445 | Fixed an issue where Server Message Block
(SMB) sessions were in a discard state with the session end reason resources-unavailable. |
PAN-94387 | Fixed an issue where the Check
URL Category link in URL Filtering profiles opened a
page that displayed a page not found error instead
of opening the web page used to check the PAN-DB URL Filtering database
for the URL Filtering category of a URL (ObjectsSecurity ProfilesURL Filtering). |
PAN-94386 | Fixed an issue where the firewall dropped
packet data protocol (PDP) context update and delete messages that
had a tunnel endpoint identifier (TEID) of zero in GPRS Tunneling
Protocol (GTP) traffic, and the traffic failed when the dropped
messages were valid. |
PAN-94379 | Fixed an issue in a Panorama deployment
with a Collector Group containing multiple Log Collectors where
the logging search engine restarted after you changed the SSH keys
used for high availability (HA). The disruption to the search engine
caused an out-of-memory condition and caused Panorama to display
logs and report data from only one Log Collector in the Collector
Group. |
PAN-94317 | Fixed the following LDAP authentication
issues:
|
PAN-94288 | Fixed an issue where the default view and
maximized view of the Application Usage report (ACCNetwork Activity)
didn't display matching values when you set the Time to Last
12 Hrs or a longer period. |
PAN-94170 | Fixed an issue where GTP traffic failed
because the firewall dropped GTP-U echo request packets. |
PAN-94135 | Fixed an issue where device monitoring did
not work on the Panorama management server. |
PAN-93930 | Fixed an issue on firewalls with SSL decryption
configured where the dataplane restarted because the all_pktproc process stopped
responding after decryption errors occurred. |
PAN-93865 | Fixed an issue where the GlobalProtect agent
couldn't split tunnel applications based on the destination domain
because the Include Domain and Exclude Domain lists
were not pushed to the agent after the user established the GlobalProtect
connection (NetworkGlobalProtectGatewaysgateway>AgentClient Settingsclient_settings_configuration>Split TunnelDomain and Application).
In addition, the GlobalProtect agent couldn't include applications
in the VPN tunnel based on the application process name because
the Include Client Application Process Name list
was not pushed to the agent after the user established the GlobalProtect
connection. |
PAN-93854 | Fixed an issue where the VM-Series firewall
for NSX randomly disrupted traffic due to high CPU usage by the pan_task process. |
PAN-93640 | Fixed an issue on firewalls where the Log
Collector preference list displayed the IP address as unknown for
a Panorama Log Collector deployed on AWS if the interface (ethernet1/1
to ethernet1/5) used for sending logs did not have a public IP address
configured and you pushed configurations to the Collector Group. |
PAN-93431 | Fixed an issue where the Panorama management
server failed to export Traffic logs as a CSV file (MonitorLogsTraffic) after
you set the Max Rows in CSV Export to more
than 500,000 rows (PanoramaSetupManagementLogging and Reporting SettingsLog Export
and Reporting). |
PAN-93430 | Fixed an issue where the firewall web interface
didn't display Host Information Profile (HIP) information in HIP
Match logs for end users who had Microsoft-supported special characters
in their domains or usernames. |
PAN-93336 | Fixed an issue where the firewall intermittently
became unresponsive because the management server process (mgmtsrvr)
stopped responding during a commit after you configured policy rules
to use external dynamic lists (EDLs). |
PAN-93106 | Fixed an issue where the Google Chrome browser
displayed certificate warnings for self-signed ECDSA certificates
that you generated on the firewall. |
PAN-93090 | Fixed an issue where the GCP DHCP Server
took 30-50 seconds to respond to a DHCP discover request, causing
DHCP IP assignments to fail. |
PAN-93089 | A security-related fix was made to prevent
denial of service (DoS) to the management web interface (CVE-2018-8715). |
PAN-93072 | Fixed an issue on hardware firewalls that
were decrypting SSL traffic where multiple commits in a short period
of time caused the firewalls to become unresponsive. |
PAN-93052 | Fixed an issue where IPv6 BGP peering persisted
(not all BGP routes were withdrawn) after the associated firewall
interface went down. |
PAN-92950 | Fixed an issue where a Panorama appliance
experienced memory depletion after allowing you to mistakenly enter
the IP address of the appliance when using the set deviceconfig system panorama-server <IP_address> or set log-collector <Log_Collector> deviceconfig system configuration
mode CLI commands. These commands enable connectivity with separate
appliances. With this fix, the command displays an error message
when you specify the IP address of the appliance on which you run
the command instead of the appliance to which it must connect. The
correct IP address depends on the type of appliance on which you
run the command:
|
PAN-92944 | Fixed an issue where the firewall assigned
the wrong URL filtering category to traffic that contained a malformed
host header. With this fix, the firewall enables the blocking of
any traffic with a malformed URL. |
PAN-92916 | Fixed an issue where firewalls configured
for User-ID redistribution failed to redistribute IP address-to-username
mappings due to a memory leak. |
PAN-92858 | Fixed an issue where the Panorama management
server could not generate reports and the ACC page became unresponsive
when too many heartbeats were missed because Panorama never cleared
reportIDs greater than 65535. |
PAN-92789 | Fixed an issue where VM-Series firewalls
deleted logs by reinitializing the logging disk when the periodic
file system integrity check (FSCK) took over 30 minutes during bootup. |
PAN-92788 | Fixed an issue where the PAN-OS XML API
returned the same job IDs for all report jobs on the firewall. With
this fix, the PAN-OS XML API returns the correct job ID for each
report job. |
PAN-92738 | Fixed an issue on the Panorama management
server where administrators with read-only privileges couldn’t view
deployment Schedules for content updates (PanoramaDevice DeploymentDynamic Updates). |
PAN-92678 | Fixed an issue on Panorama management servers
in an HA configuration where, after failover caused the secondary
HA peer to become active, it failed to deploy scheduled dynamic
updates to Log Collectors and firewalls. |
PAN-92604 | Fixed an issue where a Panorama Collector
Group didn’t forward logs to some external servers after you configured
multiple server profiles (PanoramaCollector Groups<Collector_Group>Collector Log Forwarding). |
PAN-92564 | Fixed an issue where a small percentage
of writable third-party SFP transceivers (not purchased from Palo
Alto Networks®) stopped working or experienced other issues after
you upgraded the firewall to which the SFPs are connected to a PAN-OS
8.1 release. With this fix, you must not reboot the firewall after
you download and install the PAN-OS 8.1 base image until after you
download and install the PAN-OS 8.1.1 release. For additional details,
upgrade considerations, and instructions for upgrading your firewalls,
refer to the PAN-OS 8.1 upgrade information. |
PAN-92560 | Fixed an issue where SSL Forward Proxy decryption
didn’t work after you excluded every predefined Hostname from
decryption (DeviceCertificate
ManagementSSL Decryption Exclusion). |
PAN-92487 | Fixed an issue where enabling jumbo frames (DeviceSetupSession) reduced
throughput because:
|
PAN-92445 | Fixed an issue where the Panorama management
server didn't display log data in MonitorLogs, the ACC tab, or
reports when Panorama was in a different timezone than the Dedicated Log
Collectors because Panorama applied the wrong time filter. |
PAN-92380 | Fixed an issue where, when you tried to
export a custom report, and your Chrome or Firefox browser was configured
to block popup windows, the firewall instead downloaded a Tech Support
File to your client system. |
PAN-92256 | Fixed an issue where the firewall didn't Block sessions
with unsupported cipher suites based on Decryption policy
rules for SSL Inbound Inspection when the rules referenced a Decryption
Profile with a list of allowed ciphers that didn't match
the ciphers that the destination server specified (ObjectsDecryptionDecryption Profile). With this
fix, the firewall checks the ciphers of both the source client and
destination server against the cipher list in Decryption profiles
when evaluating whether to allow sessions based on Decryption policy. |
PAN-92251 | Fixed an issue where VM-Series firewalls
used the incorrect MAC address in DHCP messages initiated from a
subinterface after you configured that subinterface as a DHCP
Client (NetworkInterfacesEthernet<subinterface>IPv4)
and disabled the Use Hypervisor Assigned MAC Address option (DeviceManagementSetup). |
PAN-92163 | Fixed an issue where firewalls in an active/passive
HA configuration took longer than expected to fail over after you
configured them to redistribute routes between an interior gateway
protocol (IGP) and Border Gateway Protocol (BGP). |
PAN-92152 | Fixed an issue where the firewall web interface
displayed a blank DeviceLicenses page
when you had 10 x 5 phone support. |
PAN-92082 | Fixed an issue where the firewall didn't
generate URL Filtering logs for user credential submissions associated
with a URL that was not a container page after you selected Log
container page only and set the User Credential Submission action
to alert for the URL category in a URL Filtering
profile (ObjectsSecurity
ProfilesURL Filtering<ULR_Filtering_profile>).
With this fix, the firewall generates URL Filtering logs for user
credential submissions regardless of whether you enable Log
container page only in the URL Filtering profile. |
PAN-91946 | Fixed an issue where the Panorama management
server intermittently did not refresh health data for managed firewalls (PanoramaManaged DevicesHealth) and therefore displayed
0 for session statistics. |
PAN-91945 | Fixed an issue where the firewall didn't
generate a System log to indicate when the reason that end users
couldn’t authenticate to a GlobalProtect portal was a DNS resolution
failure for the FQDNs in a RADIUS server profile (DeviceServer ProfilesRADIUS). |
PAN-91809 | Fixed an issue on VM-Series firewalls for
Azure where, after the firewall rebooted, some interfaces configured
as DHCP clients intermittently did not receive DHCP-assigned IP
addresses. |
PAN-91776 | Fixed an issue where endpoint users could
not authenticate to GlobalProtect when specifying a User
Domain with Microsoft-supported symbols such as the
dollar symbol ($) in the authentication profile (DeviceAuthentication Profile). |
PAN-91597 | As an enhancement to improve security for
the firewall, the management (MGT) interface now includes the following
HTTP security headers: X-XSS-Protection, X-Content-Type-Options,
and Content-Security-Policy. |
PAN-91591 | Fixed an issue where the GlobalProtect agent
failed to establish a TCP connection with the GlobalProtect gateway
when TCP SYN packets had unsupported congestion notification flag
bits set (ECN or CWR). |
PAN-91564 | A security-related fix was made to prevent a local privilege escalation vulnerability that allowed administrators to access the password hashes of local users (CVE-2018-9334). |
PAN-91559 | Fixed an issue where PA-5200 Series firewalls
caused slow traffic over IPSec VPN tunnels because the firewalls
reordered TCP segments during IPSec encryption. |
PAN-91370 | Fixed an issue where the firewall dropped
IPv6 traffic while enforcing IPv6 bidirectional NAT policy rules
because the firewall incorrectly translated the destination address
for a host that resided on a directly attached network. |
PAN-91360 | Fixed an issue where, in rare cases, the
firewall couldn't establish connections with GlobalProtect agents
because the rasmgr process stopped responding when
hundreds of end users logged in and out of GlobalProtect at the
same time. |
PAN-91254 | Fixed an issue where end user accounts were
locked out after you configured authentication based on a RADIUS
server profile with multiple servers (DeviceServer ProfilesRADIUS)
and enabled the gateway to Retrieve Framed-IP-Address
attribute from authentication server (NetworkGlobalProtectGateways<gateway>AgentClient Settings<client_settings_configuration>IP Pools). With this fix, instead
of requesting framed IP addresses from all the servers in a RADIUS
server profile at the same time, the firewall sends the request to
only one server at a time until one of the servers responds. |
PAN-90824 | An enhancement was made to improve compatibility
for the HTTP log forwarding feature so that you
can specify the TLS version that the HTTP log forwarding feature
uses to connect to the HTTP server. To specify the version,
use the debug system https-settings tls-version CLI
command. (To view the version that is currently specified, use the debug system https-settings command.) |
PAN-90753 | Fixed an issue where firewalls in an active/passive
HA configuration didn’t synchronize multicast sessions between the
firewall HA peers. |
PAN-90448 | Fixed an issue where PA-7000 Series and
PA-5200 Series firewalls didn't properly Rematch all
sessions on config policy change for offloaded sessions (DeviceSetupSession). |
PAN-90411 | Fixed an issue where PA-5200 Series firewalls
didn’t forward buffered logs to Panorama Log Collectors after connectivity
between the firewalls and Log Collectors was disrupted and then
restored. |
PAN-90404 | Fixed an issue where the Panorama management
server intermittently displayed the connections among Log Collectors
as disconnected after pushing configurations to a Collector Group (PanoramaManaged Collectors). |
PAN-90347 | Fixed an issue on a PA-5000 Series firewall
configured to use an IPSec tunnel containing multiple proxy IDs (NetworkIPSec Tunnels<tunnel>Proxy IDs)
where the firewall dropped tunneled traffic after clear text sessions
were established on a different dataplane than the first dataplane
(DP0). |
PAN-90190 | Fixed an issue on the Panorama virtual appliance
on a VMware ESXi server where VMware Tools failed to start after
you upgraded to PAN-OS 8.1. |
PAN-90143 | Fixed an issue where administrators intermittently
failed to log in to the firewall because it intermittently restarted
processes continuously due to an out-of-memory condition. |
PAN-90048 | Fixed an issue where automatic commits failed
after you configured Security policy rules that referenced region
objects for the source or destination and then upgraded the PAN-OS
software. |
PAN-89992 | Fixed an issue where the firewall didn’t
efficiently handle traffic in which the number of Address Resolution
Protocol (ARP) packets exceeded the processing capacity of the firewall.
With this fix, the firewall handles ARP packets more efficiently. |
PAN-89748 | Fixed an issue on the Panorama virtual appliance
for Azure where commit operations failed after you added administrator
accounts other than the default admin account, switched from Panorama
mode to Log Collector mode, made configuration changes, and then
tried to commit your changes. With this fix, Panorama removes all
administrator accounts other than the default admin account when
you switch to Log Collector mode. Dedicated Log Collectors support
only the default admin account. |
PAN-89715 | Fixed an issue on PA-5200 Series firewalls
in an active/passive HA configuration where failover took a few
seconds longer than expected when it was triggered after the passive
firewall rebooted. |
PAN-89525 | Fixed a configuration parsing issue where
a default setup of the Authentication Profile caused the firewall
to reboot during commit. If the administrator configured the Authentication
Profile with any allowed values, including the default values, the
configuration committed successfully. The issue was observed on
a PA-500 firewall in FIPS-CC mode. |
PAN-89171 | Fixed an issue on firewalls in an HA configuration
where an auto-commit failed (the error message was Error:Duplicate user name)
after you connected a new suspended-secondary peer to an active-primary peer. |
PAN-88852 | Fixed an issue where VM-Series firewalls
stopped displaying URL Filtering logs after you configured a URL
Filtering profile with an alert action (ObjectsSecurity ProfilesURL Filtering). |
PAN-88752 | Fixed an issue where User-ID agents configured
to detect credential phishing didn’t detect passwords that contained
a blank space. |
PAN-88649 | Fixed an issue where, after receiving machine
account names in UPN format from a Windows-based User-ID agent,
the firewall misidentified them as user accounts and overrode usernames
with machine names in IP address-to-username mappings. |
PAN-87964 | Fixed an issue where the firewall couldn't
render URL content for end users after you configured GlobalProtect
Clientless VPN with a Hostname set to a Layer
3 subinterface or VLAN interface (NetworkGlobalProtectPortals<portal>Clientless VPNGeneral). |
PAN-87309 | Fixed an issue where, after you configured
a GlobalProtect gateway to exclude all video streaming traffic from
the VPN tunnel, Hulu and Sling TV traffic could not be redirected
if you did not configure any security profiles (such as a File Blocking
profile) for your firewall Security policies. |
PAN-86934 | Fixed an issue where the firewall applied
case sensitivity to the names of shared user groups that were defined
in its local database and, as a result, users who belonged to those
groups couldn't access applications through GlobalProtect Clientless
VPN even after successful authentication. With this fix, the firewall
ignores character case when evaluating the names of user groups
in its local database. |
PAN-86076 | As an enhancement to improve security for
GlobalProtect deployments, the GlobalProtect portal now includes
the following HTTP security headers in responses to end user login
requests: X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy. |
PAN-86028 | Fixed an issue in an HA active/active configuration where traffic in a GlobalProtect VPN tunnel in SSL mode failed after Layer 7 processing if asymmetric routing was involved. |
PAN-85308 | Fixed an issue in the output for on-demand custom reports (select MonitorManage Custom Reports<report> and Run Now) where the <column_heading> drop-down displayed a Columns option even though you couldn't add or remove columns. With this fix, the <column_heading> drop-down no longer displays a Columns option. |
PAN-83001 | Fixed an issue where the firewall dropped
packets based on a QoS class even though traffic didn’t exceed the
maximum bandwidth for that class. |
PAN-81495 | Fixed an issue where connections that the
firewall handles as an Application Level Gateway (ALG) service were
disconnected when destination NAT and decryption were enabled. |
PAN-80664 | Fixed an issue where, after end users who
haven't yet enrolled in Duo failed to authenticate to a GlobalProtect
portal that used a RADIUS server integrated with Duo for multi-factor
authentication, the portal login page displayed Invalidusername or password as
the authentication error instead of displaying a Duo enrollment
URL so that the users could enroll. |