PAN-OS 8.1.1 Addressed Issues

PAN-OS® 8.1.1 addressed issues
Issue ID
Description
WF500-4599
Fixed an issue on WF-500 appliance clusters where attempts to submit samples for analysis through the WildFire XML API failed with a 499 or 502 error in the HTTP response when the local worker was fully loaded.
WF500-4535
Fixed an issue where the WF-500 appliance couldn’t forward logs over TCP or SSL to a syslog server.
WF500-4473
Fixed an issue where the root partition on the WF-500 appliance reached its maximum storage capacity because the following log files had no size limit and grew continuously: appweb_access.log, trap-access.log, wpc_build_detail.log, rsyncd.log, cluster-mgr.log, and cluster-script.log. With this fix, the appweb_access.log, trap-access.log, and wpc_build_detail.log logs have a limit of 10MB and the WF-500 appliance maintains one rotating backup file for each of these logs to store old data when a log exceeds the limit. Also with this fix, the rsyncd.log, cluster-mgr.log, and cluster-script.log logs have a limit of 5MB and the WF-500 appliance maintains eight rotating backup files for each of these logs.
WF500-4397
Fixed an issue in a WF-500 appliance cluster where the controller backup node was stuck in
global-db-service: WaitingforLeaderReady
status when you tried to add nodes to the cluster.
WF500-4363
Fixed an issue where firewalls and Panorama management servers couldn’t retrieve reports from a WF-500 appliance due to an interruption in its data migration after you upgraded the appliance from a PAN-OS 7.1 release to a PAN-OS 8.0 or later release. With this fix, you can run the new
debug device data-migration show
CLI command on the WF-500 appliance after each upgrade to verify data migration finished successfully (output is
Migration inMySQL is successful
). Don't perform additional upgrades on the WF-500 appliance until the data migration finishes.
PAN-95536
Fixed an issue where Dedicated Log Collectors failed to forward logs to syslog servers.
PAN-95504
Fixed an issue on the firewall and Panorama management server where the web interface became unresponsive because the management server process (
mgmtsrvr
) restarted after you set its debugging level to
debug
(through the
debug management-server on debug
CLI command).
PAN-95288
Fixed an issue where the firewall web interface didn't display System logs (
Monitor
Logs
System
) after you upgraded to PAN-OS 8.1 and then logged in using an administrative account that existed before the upgrade.
PAN-94845
Fixed an issue where App-ID didn’t recognize GPRS Tunneling Protocol User Plane (GTP-U) in GTP messages on port 2152 when only single-direction message packets arrived (Traffic logs indicated
application insufficient-data
).
PAN-94741
Fixed an issue on the Panorama management server where characters in the
Secret
string of a TACACS+ server profile changed on the firewall after you pushed the server profile configuration from a template stack (
Device
Server Profiles
TACACS+
).
PAN-94700
Fixed an issue on the PA-200, PA-220, PA-220R, PA-500, and PA-800 Series firewalls where the GlobalProtect data file installation failed after you upgraded the firewall to PAN-OS 8.1.
PAN-94661
Fixed an issue where the firewall and Panorama management server displayed policy rules in a jumbled order when you scrolled the rule list in the
Policies
tab. The firewall and Panorama also opened the wrong rule for editing when you double-clicked one.
PAN-94640
Fixed an issue where System logs included the following debugging information even though the firewall successfully resolved IP addresses:
Failed to resolve domain name:xxx.yyy.zzafter trying all attempts to name servers: A.B.C.D, W.X.Y.Z
. With this fix, daemon logs include that debugging information instead of System logs.
PAN-94633
Fixed an issue where, after upgrading the firewall to PAN-OS 8.1, LDAP authentication failed if the associated authentication profile had an
Allow List
with entries other than
All
(
Device
Authentication Profile
).
PAN-94569
Fixed an issue where GlobalProtect client authentication failed after you entered domains in upper case characters in the
Allow List
of an authentication profile (
Device
Authentication Profile
<authentication_profile>
Advanced
).
PAN-94445
Fixed an issue where Server Message Block (SMB) sessions were in a discard state with the session end reason
resources-unavailable
.
PAN-94387
Fixed an issue where the
Check URL Category
link in URL Filtering profiles opened a page that displayed a
page not found
error instead of opening the web page used to check the PAN-DB URL Filtering database for the URL Filtering category of a URL (
Objects
Security Profiles
URL Filtering
).
PAN-94386
Fixed an issue where the firewall dropped packet data protocol (PDP) context update and delete messages that had a tunnel endpoint identifier (TEID) of zero in GPRS Tunneling Protocol (GTP) traffic, and the traffic failed when the dropped messages were valid.
PAN-94379
Fixed an issue in a Panorama deployment with a Collector Group containing multiple Log Collectors where the logging search engine restarted after you changed the SSH keys used for high availability (HA). The disruption to the search engine caused an out-of-memory condition and caused Panorama to display logs and report data from only one Log Collector in the Collector Group.
PAN-94317
Fixed the following LDAP authentication issues:
  • Authentication failed for users who belonged to user groups for which you specified LDAP short names instead of long names in the
    Allow List
    of an authentication profile (
    Device
    Authentication Profile
    ).
  • When performing LDAP lookups based on entries in the
    Allow List
    of LDAP authentication profiles, the firewall treated unknown group names as usernames.
  • Authentication failed for users who belonged to multiple groups that you entered in the
    Allow List
    of different LDAP authentication profiles.
PAN-94288
Fixed an issue where the default view and maximized view of the Application Usage report (
ACC
Network Activity
) didn't display matching values when you set the
Time
to
Last 12 Hrs
or a longer period.
PAN-94170
Fixed an issue where GTP traffic failed because the firewall dropped GTP-U echo request packets.
PAN-94135
Fixed an issue where device monitoring did not work on the Panorama management server.
PAN-93930
Fixed an issue on firewalls with SSL decryption configured where the dataplane restarted because the
all_pktproc
process stopped responding after decryption errors occurred.
PAN-93865
Fixed an issue where the GlobalProtect agent couldn't split tunnel applications based on the destination domain because the
Include Domain
and
Exclude Domain
lists were not pushed to the agent after the user established the GlobalProtect connection (
Network
GlobalProtect
Gateways
gateway>
Agent
Client Settings
client_settings_configuration>
Split Tunnel
Domain and Application
). In addition, the GlobalProtect agent couldn't include applications in the VPN tunnel based on the application process name because the
Include Client Application Process Name
list was not pushed to the agent after the user established the GlobalProtect connection.
PAN-93854
Fixed an issue where the VM-Series firewall for NSX randomly disrupted traffic due to high CPU usage by the
pan_task
process.
PAN-93640
Fixed an issue on firewalls where the Log Collector preference list displayed the IP address as unknown for a Panorama Log Collector deployed on AWS if the interface (ethernet1/1 to ethernet1/5) used for sending logs did not have a public IP address configured and you pushed configurations to the Collector Group.
PAN-93431
Fixed an issue where the Panorama management server failed to export Traffic logs as a CSV file (
Monitor
Logs
Traffic
) after you set the
Max Rows in CSV Export
to more than 500,000 rows (
Panorama
Setup
Management
Logging and Reporting Settings
Log Export and Reporting
).
PAN-93430
Fixed an issue where the firewall web interface didn't display Host Information Profile (HIP) information in HIP Match logs for end users who had Microsoft-supported special characters in their domains or usernames.
PAN-93336
Fixed an issue where the firewall intermittently became unresponsive because the management server process (
mgmtsrvr
) stopped responding during a commit after you configured policy rules to use external dynamic lists (EDLs).
PAN-93106
Fixed an issue where the Google Chrome browser displayed certificate warnings for self-signed ECDSA certificates that you generated on the firewall.
PAN-93090
Fixed an issue where the GCP DHCP Server took 30-50 seconds to respond to a DHCP discover request, causing DHCP IP assignments to fail.
PAN-93089
A security-related fix was made to prevent denial of service (DoS) to the management web interface (CVE-2018-8715).
PAN-93072
Fixed an issue on hardware firewalls that were decrypting SSL traffic where multiple commits in a short period of time caused the firewalls to become unresponsive.
PAN-93052
Fixed an issue where IPv6 BGP peering persisted (not all BGP routes were withdrawn) after the associated firewall interface went down.
PAN-92950
Fixed an issue where a Panorama appliance experienced memory depletion after allowing you to mistakenly enter the IP address of the appliance when using the
set deviceconfig system panorama-server
<IP_address>
or
set log-collector
<Log_Collector>
deviceconfig system
configuration mode CLI commands. These commands enable connectivity with separate appliances. With this fix, the command displays an error message when you specify the IP address of the appliance on which you run the command instead of the appliance to which it must connect. The correct IP address depends on the type of appliance on which you run the command:
  • Panorama management server
    in an HA configuration—Specify the IP address of the Panorama HA peer.
  • Dedicated Log Collector
    —Specify the IP addresses of the Panorama management servers, where
    panorama-server
    specifies the primary HA Panorama (or the only Panorama in a non-HA configuration) and
    panorama-server-2
    specifies the secondary HA Panorama:
    set log-collector
    <Log_Collector>
    deviceconfig system {panorama-server | panorama-server-2}
    <IP_address>
    .
PAN-92944
Fixed an issue where the firewall assigned the wrong URL filtering category to traffic that contained a malformed host header. With this fix, the firewall enables the blocking of any traffic with a malformed URL.
PAN-92916
Fixed an issue where firewalls configured for User-ID redistribution failed to redistribute IP address-to-username mappings due to a memory leak.
PAN-92858
Fixed an issue where the Panorama management server could not generate reports and the ACC page became unresponsive when too many heartbeats were missed because Panorama never cleared reportIDs greater than 65535.
PAN-92789
Fixed an issue where VM-Series firewalls deleted logs by reinitializing the logging disk when the periodic file system integrity check (FSCK) took over 30 minutes during bootup.
PAN-92788
Fixed an issue where the PAN-OS XML API returned the same job IDs for all report jobs on the firewall. With this fix, the PAN-OS XML API returns the correct job ID for each report job.
PAN-92738
Fixed an issue on the Panorama management server where administrators with read-only privileges couldn’t view deployment
Schedules
for content updates (
Panorama
Device Deployment
Dynamic Updates
).
PAN-92678
Fixed an issue on Panorama management servers in an HA configuration where, after failover caused the secondary HA peer to become active, it failed to deploy scheduled dynamic updates to Log Collectors and firewalls.
PAN-92604
Fixed an issue where a Panorama Collector Group didn’t forward logs to some external servers after you configured multiple server profiles (
Panorama
Collector Groups
<Collector_Group>
Collector Log Forwarding
).
PAN-92564
Fixed an issue where a small percentage of writable third-party SFP transceivers (not purchased from Palo Alto Networks®) stopped working or experienced other issues after you upgraded the firewall to which the SFPs are connected to a PAN-OS 8.1 release. With this fix, you must not reboot the firewall after you download and install the PAN-OS 8.1 base image until after you download and install the PAN-OS 8.1.1 release. For additional details, upgrade considerations, and instructions for upgrading your firewalls, refer to the PAN-OS 8.1 upgrade information.
PAN-92560
Fixed an issue where SSL Forward Proxy decryption didn’t work after you excluded every predefined
Hostname
from decryption (
Device
Certificate Management
SSL Decryption Exclusion
).
PAN-92487
Fixed an issue where enabling jumbo frames (
Device
Setup
Session
) reduced throughput because:
  • The firewalls hardcoded the maximum segment size (TCP MSS) within TCP SYN packets and in server-to-client traffic at 1,460 bytes when packets exceed that size. With this fix, the firewalls no longer hardcode the TCP MSS value for TCP sessions.
  • PA-7000 Series and PA-5200 Series firewalls hardcoded the maximum transmission unit (MTU) at 1,500 bytes for the encapsulation stage when tunneled clear-text traffic and the originating tunnel session were on different dataplanes. With this fix, the firewalls use the MTU configured for the interface (
    Network
    Interfaces
    <interface>
    Advanced
    Other Info
    ) instead of hardcoding the MTU at 1,500 bytes.
PAN-92445
Fixed an issue where the Panorama management server didn't display log data in
Monitor
Logs
, the
ACC
tab, or reports when Panorama was in a different timezone than the Dedicated Log Collectors because Panorama applied the wrong time filter.
PAN-92380
Fixed an issue where, when you tried to export a custom report, and your Chrome or Firefox browser was configured to block popup windows, the firewall instead downloaded a Tech Support File to your client system.
PAN-92256
Fixed an issue where the firewall didn't
Block sessions with unsupported cipher suites
based on Decryption policy rules for SSL Inbound Inspection when the rules referenced a
Decryption Profile
with a list of allowed ciphers that didn't match the ciphers that the destination server specified (
Objects
Decryption
Decryption Profile
). With this fix, the firewall checks the ciphers of both the source client and destination server against the cipher list in Decryption profiles when evaluating whether to allow sessions based on Decryption policy.
PAN-92251
Fixed an issue where VM-Series firewalls used the incorrect MAC address in DHCP messages initiated from a subinterface after you configured that subinterface as a
DHCP Client
(
Network
Interfaces
Ethernet
<subinterface>
IPv4
) and disabled the
Use Hypervisor Assigned MAC Address
option (
Device
Management
Setup
).
PAN-92163
Fixed an issue where firewalls in an active/passive HA configuration took longer than expected to fail over after you configured them to redistribute routes between an interior gateway protocol (IGP) and Border Gateway Protocol (BGP).
PAN-92152
Fixed an issue where the firewall web interface displayed a blank
Device
Licenses
page when you had 10 x 5 phone support.
PAN-92082
Fixed an issue where the firewall didn't generate URL Filtering logs for user credential submissions associated with a URL that was not a container page after you selected
Log container page only
and set the
User Credential Submission
action to
alert
for the URL category in a URL Filtering profile (
Objects
Security Profiles
URL Filtering
<ULR_Filtering_profile>
). With this fix, the firewall generates URL Filtering logs for user credential submissions regardless of whether you enable
Log container page only
in the URL Filtering profile.
PAN-91946
Fixed an issue where the Panorama management server intermittently did not refresh health data for managed firewalls (
Panorama
Managed Devices
Health
) and therefore displayed 0 for session statistics.
PAN-91945
Fixed an issue where the firewall didn't generate a System log to indicate when the reason that end users couldn’t authenticate to a GlobalProtect portal was a DNS resolution failure for the FQDNs in a RADIUS server profile (
Device
Server Profiles
RADIUS
).
PAN-91809
Fixed an issue on VM-Series firewalls for Azure where, after the firewall rebooted, some interfaces configured as DHCP clients intermittently did not receive DHCP-assigned IP addresses.
PAN-91776
Fixed an issue where endpoint users could not authenticate to GlobalProtect when specifying a
User Domain
with Microsoft-supported symbols such as the dollar symbol ($) in the authentication profile (
Device
Authentication Profile
).
PAN-91597
As an enhancement to improve security for the firewall, the management (MGT) interface now includes the following HTTP security headers: X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy.
PAN-91591
Fixed an issue where the GlobalProtect agent failed to establish a TCP connection with the GlobalProtect gateway when TCP SYN packets had unsupported congestion notification flag bits set (ECN or CWR).
PAN-91564
A security-related fix was made to prevent a local privilege escalation vulnerability that allowed administrators to access the password hashes of local users (CVE-2018-9334).
PAN-91559
Fixed an issue where PA-5200 Series firewalls caused slow traffic over IPSec VPN tunnels because the firewalls reordered TCP segments during IPSec encryption.
PAN-91370
Fixed an issue where the firewall dropped IPv6 traffic while enforcing IPv6 bidirectional NAT policy rules because the firewall incorrectly translated the destination address for a host that resided on a directly attached network.
PAN-91360
Fixed an issue where, in rare cases, the firewall couldn't establish connections with GlobalProtect agents because the
rasmgr
process stopped responding when hundreds of end users logged in and out of GlobalProtect at the same time.
PAN-91254
Fixed an issue where end user accounts were locked out after you configured authentication based on a RADIUS server profile with multiple servers (
Device
Server Profiles
RADIUS
) and enabled the gateway to
Retrieve Framed-IP-Address attribute from authentication server
(
Network
GlobalProtect
Gateways
<gateway>
Agent
Client Settings
<client_settings_configuration>
IP Pools
). With this fix, instead of requesting framed IP addresses from all the servers in a RADIUS server profile at the same time, the firewall sends the request to only one server at a time until one of the servers responds.
PAN-90824
An enhancement was made to improve compatibility for the HTTP log forwarding feature so that you can specify the TLS version that the HTTP log forwarding feature uses to connect to the HTTP server.
To specify the version, use the
debug system https-settings tls-version
CLI command. (To view the version that is currently specified, use the
debug system https-settings
command.)
PAN-90753
Fixed an issue where firewalls in an active/passive HA configuration didn’t synchronize multicast sessions between the firewall HA peers.
PAN-90448
Fixed an issue where PA-7000 Series and PA-5200 Series firewalls didn't properly
Rematch all sessions on config policy change
for offloaded sessions (
Device
Setup
Session
).
PAN-90411
Fixed an issue where PA-5200 Series firewalls didn’t forward buffered logs to Panorama Log Collectors after connectivity between the firewalls and Log Collectors was disrupted and then restored.
PAN-90404
Fixed an issue where the Panorama management server intermittently displayed the connections among Log Collectors as disconnected after pushing configurations to a Collector Group (
Panorama
Managed Collectors
).
PAN-90347
Fixed an issue on a PA-5000 Series firewall configured to use an IPSec tunnel containing multiple proxy IDs (
Network
IPSec Tunnels
<tunnel>
Proxy IDs
) where the firewall dropped tunneled traffic after clear text sessions were established on a different dataplane than the first dataplane (DP0).
PAN-90190
Fixed an issue on the Panorama virtual appliance on a VMware ESXi server where VMware Tools failed to start after you upgraded to PAN-OS 8.1.
PAN-90143
Fixed an issue where administrators intermittently failed to log in to the firewall because it intermittently restarted processes continuously due to an out-of-memory condition.
PAN-90048
Fixed an issue where automatic commits failed after you configured Security policy rules that referenced region objects for the source or destination and then upgraded the PAN-OS software.
PAN-89992
Fixed an issue where the firewall didn’t efficiently handle traffic in which the number of Address Resolution Protocol (ARP) packets exceeded the processing capacity of the firewall. With this fix, the firewall handles ARP packets more efficiently.
PAN-89748
Fixed an issue on the Panorama virtual appliance for Azure where commit operations failed after you added administrator accounts other than the default admin account, switched from Panorama mode to Log Collector mode, made configuration changes, and then tried to commit your changes. With this fix, Panorama removes all administrator accounts other than the default admin account when you switch to Log Collector mode. Dedicated Log Collectors support only the default admin account.
PAN-89715
Fixed an issue on PA-5200 Series firewalls in an active/passive HA configuration where failover took a few seconds longer than expected when it was triggered after the passive firewall rebooted.
PAN-89525
Fixed a configuration parsing issue where a default setup of the Authentication Profile caused the firewall to reboot during commit. If the administrator configured the Authentication Profile with any allowed values, including the default values, the configuration committed successfully. The issue was observed on a PA-500 firewall in FIPS-CC mode.
PAN-89171
Fixed an issue on firewalls in an HA configuration where an auto-commit failed (the error message was
Error:Duplicate user name
) after you connected a new suspended-secondary peer to an active-primary peer.
PAN-88852
Fixed an issue where VM-Series firewalls stopped displaying URL Filtering logs after you configured a URL Filtering profile with an alert action (
Objects
Security Profiles
URL Filtering
).
PAN-88752
Fixed an issue where User-ID agents configured to detect credential phishing didn’t detect passwords that contained a blank space.
PAN-88649
Fixed an issue where, after receiving machine account names in UPN format from a Windows-based User-ID agent, the firewall misidentified them as user accounts and overrode usernames with machine names in IP address-to-username mappings.
PAN-87964
Fixed an issue where the firewall couldn't render URL content for end users after you configured GlobalProtect Clientless VPN with a
Hostname
set to a Layer 3 subinterface or VLAN interface (
Network
GlobalProtect
Portals
<portal>
Clientless VPN
General
).
PAN-87309
Fixed an issue where, after you configured a GlobalProtect gateway to exclude all video streaming traffic from the VPN tunnel, Hulu and Sling TV traffic could not be redirected if you did not configure any security profiles (such as a File Blocking profile) for your firewall Security policies.
PAN-86934
Fixed an issue where the firewall applied case sensitivity to the names of shared user groups that were defined in its local database and, as a result, users who belonged to those groups couldn't access applications through GlobalProtect Clientless VPN even after successful authentication. With this fix, the firewall ignores character case when evaluating the names of user groups in its local database.
PAN-86076
As an enhancement to improve security for GlobalProtect deployments, the GlobalProtect portal now includes the following HTTP security headers in responses to end user login requests: X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy.
PAN-86028
Fixed an issue in an HA active/active configuration where traffic in a GlobalProtect VPN tunnel in SSL mode failed after Layer 7 processing if asymmetric routing was involved.
PAN-85308
Fixed an issue in the output for on-demand custom reports (select
Monitor
Manage Custom Reports
<report>
and
Run Now
) where the
<column_heading>
drop-down displayed a
Columns
option even though you couldn't add or remove columns. With this fix, the
<column_heading>
drop-down no longer displays a
Columns
option.
PAN-83001
Fixed an issue where the firewall dropped packets based on a QoS class even though traffic didn’t exceed the maximum bandwidth for that class.
PAN-81495
Fixed an issue where connections that the firewall handles as an Application Level Gateway (ALG) service were disconnected when destination NAT and decryption were enabled.
PAN-80664
Fixed an issue where, after end users who haven't yet enrolled in Duo failed to authenticate to a GlobalProtect portal that used a RADIUS server integrated with Duo for multi-factor authentication, the portal login page displayed
Invalidusername or password
as the authentication error instead of displaying a Duo enrollment URL so that the users could enroll.

Recommended For You