PAN-OS 8.1.1 Addressed Issues
PAN-OS® 8.1.1 addressed issues
Fixed an issue on WF-500 appliance clusters where attempts to submit samples for analysis through the WildFire XML API failed with a 499 or 502 error in the HTTP response when the local worker was fully loaded.
Fixed an issue where the WF-500 appliance couldn’t forward logs over TCP or SSL to a syslog server.
Fixed an issue where the root partition on the WF-500 appliance reached its maximum storage capacity because the following log files had no size limit and grew continuously: appweb_access.log, trap-access.log, wpc_build_detail.log, rsyncd.log, cluster-mgr.log, and cluster-script.log. With this fix, the appweb_access.log, trap-access.log, and wpc_build_detail.log logs have a limit of 10MB and the WF-500 appliance maintains one rotating backup file for each of these logs to store old data when a log exceeds the limit. Also with this fix, the rsyncd.log, cluster-mgr.log, and cluster-script.log logs have a limit of 5MB and the WF-500 appliance maintains eight rotating backup files for each of these logs.
Fixed an issue in a WF-500 appliance cluster where the controller backup node was stuck in global-db-service: WaitingforLeaderReady status when you tried to add nodes to the cluster.
Fixed an issue where firewalls and Panorama management servers couldn’t retrieve reports from a WF-500 appliance due to an interruption in its data migration after you upgraded the appliance from a PAN-OS 7.1 release to a PAN-OS 8.0 or later release. With this fix, you can run the new debug device data-migration show CLI command on the WF-500 appliance after each upgrade to verify data migration finished successfully (output is Migration inMySQL is successful). Don't perform additional upgrades on the WF-500 appliance until the data migration finishes.
Fixed an issue where Dedicated Log Collectors failed to forward logs to syslog servers.
Fixed an issue on the firewall and Panorama management server where the web interface became unresponsive because the management server process (mgmtsrvr) restarted after you set its debugging level to debug (through the debug management-server on debug CLI command).
Fixed an issue where the firewall web interface didn't display System logs (MonitorLogsSystem) after you upgraded to PAN-OS 8.1 and then logged in using an administrative account that existed before the upgrade.
Fixed an issue where App-ID didn’t recognize GPRS Tunneling Protocol User Plane (GTP-U) in GTP messages on port 2152 when only single-direction message packets arrived (Traffic logs indicated application insufficient-data).
Fixed an issue on the Panorama management server where characters in the Secret string of a TACACS+ server profile changed on the firewall after you pushed the server profile configuration from a template stack (DeviceServer ProfilesTACACS+).
Fixed an issue on the PA-200, PA-220, PA-220R, PA-500, and PA-800 Series firewalls where the GlobalProtect data file installation failed after you upgraded the firewall to PAN-OS 8.1.
Fixed an issue where the firewall and Panorama management server displayed policy rules in a jumbled order when you scrolled the rule list in the Policies tab. The firewall and Panorama also opened the wrong rule for editing when you double-clicked one.
Fixed an issue where System logs included the following debugging information even though the firewall successfully resolved IP addresses: Failed to resolve domain name:xxx.yyy.zzafter trying all attempts to name servers: A.B.C.D, W.X.Y.Z. With this fix, daemon logs include that debugging information instead of System logs.
Fixed an issue where, after upgrading the firewall to PAN-OS 8.1, LDAP authentication failed if the associated authentication profile had an Allow List with entries other than All (DeviceAuthentication Profile).
Fixed an issue where GlobalProtect client authentication failed after you entered domains in upper case characters in the Allow List of an authentication profile (DeviceAuthentication Profile<authentication_profile>Advanced).
Fixed an issue where Server Message Block (SMB) sessions were in a discard state with the session end reason resources-unavailable.
Fixed an issue where the Check URL Category link in URL Filtering profiles opened a page that displayed a page not found error instead of opening the web page used to check the PAN-DB URL Filtering database for the URL Filtering category of a URL (ObjectsSecurity ProfilesURL Filtering).
Fixed an issue where the firewall dropped packet data protocol (PDP) context update and delete messages that had a tunnel endpoint identifier (TEID) of zero in GPRS Tunneling Protocol (GTP) traffic, and the traffic failed when the dropped messages were valid.
Fixed an issue in a Panorama deployment with a Collector Group containing multiple Log Collectors where the logging search engine restarted after you changed the SSH keys used for high availability (HA). The disruption to the search engine caused an out-of-memory condition and caused Panorama to display logs and report data from only one Log Collector in the Collector Group.
Fixed the following LDAP authentication issues:
Fixed an issue where the default view and maximized view of the Application Usage report (ACCNetwork Activity) didn't display matching values when you set the Time to Last 12 Hrs or a longer period.
Fixed an issue where GTP traffic failed because the firewall dropped GTP-U echo request packets.
Fixed an issue where device monitoring did not work on the Panorama management server.
Fixed an issue on firewalls with SSL decryption configured where the dataplane restarted because the all_pktproc process stopped responding after decryption errors occurred.
Fixed an issue where the GlobalProtect agent couldn't split tunnel applications based on the destination domain because the Include Domain and Exclude Domain lists were not pushed to the agent after the user established the GlobalProtect connection (NetworkGlobalProtectGatewaysgateway>AgentClient Settingsclient_settings_configuration>Split TunnelDomain and Application). In addition, the GlobalProtect agent couldn't include applications in the VPN tunnel based on the application process name because the Include Client Application Process Name list was not pushed to the agent after the user established the GlobalProtect connection.
Fixed an issue where the VM-Series firewall for NSX randomly disrupted traffic due to high CPU usage by the pan_task process.
Fixed an issue on firewalls where the Log Collector preference list displayed the IP address as unknown for a Panorama Log Collector deployed on AWS if the interface (ethernet1/1 to ethernet1/5) used for sending logs did not have a public IP address configured and you pushed configurations to the Collector Group.
Fixed an issue where the Panorama management server failed to export Traffic logs as a CSV file (MonitorLogsTraffic) after you set the Max Rows in CSV Export to more than 500,000 rows (PanoramaSetupManagementLogging and Reporting SettingsLog Export and Reporting).
Fixed an issue where the firewall web interface didn't display Host Information Profile (HIP) information in HIP Match logs for end users who had Microsoft-supported special characters in their domains or usernames.
Fixed an issue where the firewall intermittently became unresponsive because the management server process (mgmtsrvr) stopped responding during a commit after you configured policy rules to use external dynamic lists (EDLs).
Fixed an issue where the Google Chrome browser displayed certificate warnings for self-signed ECDSA certificates that you generated on the firewall.
Fixed an issue where the GCP DHCP Server took 30-50 seconds to respond to a DHCP discover request, causing DHCP IP assignments to fail.
A security-related fix was made to prevent denial of service (DoS) to the management web interface (CVE-2018-8715).
Fixed an issue on hardware firewalls that were decrypting SSL traffic where multiple commits in a short period of time caused the firewalls to become unresponsive.
Fixed an issue where IPv6 BGP peering persisted (not all BGP routes were withdrawn) after the associated firewall interface went down.
Fixed an issue where a Panorama appliance experienced memory depletion after allowing you to mistakenly enter the IP address of the appliance when using the set deviceconfig system panorama-server <IP_address> or set log-collector <Log_Collector> deviceconfig system configuration mode CLI commands. These commands enable connectivity with separate appliances. With this fix, the command displays an error message when you specify the IP address of the appliance on which you run the command instead of the appliance to which it must connect. The correct IP address depends on the type of appliance on which you run the command:
Fixed an issue where the firewall assigned the wrong URL filtering category to traffic that contained a malformed host header. With this fix, the firewall enables the blocking of any traffic with a malformed URL.
Fixed an issue where firewalls configured for User-ID redistribution failed to redistribute IP address-to-username mappings due to a memory leak.
Fixed an issue where the Panorama management server could not generate reports and the ACC page became unresponsive when too many heartbeats were missed because Panorama never cleared reportIDs greater than 65535.
Fixed an issue where VM-Series firewalls deleted logs by reinitializing the logging disk when the periodic file system integrity check (FSCK) took over 30 minutes during bootup.
Fixed an issue where the PAN-OS XML API returned the same job IDs for all report jobs on the firewall. With this fix, the PAN-OS XML API returns the correct job ID for each report job.
Fixed an issue on the Panorama management server where administrators with read-only privileges couldn’t view deployment Schedules for content updates (PanoramaDevice DeploymentDynamic Updates).
Fixed an issue on Panorama management servers in an HA configuration where, after failover caused the secondary HA peer to become active, it failed to deploy scheduled dynamic updates to Log Collectors and firewalls.
Fixed an issue where a Panorama Collector Group didn’t forward logs to some external servers after you configured multiple server profiles (PanoramaCollector Groups<Collector_Group>Collector Log Forwarding).
Fixed an issue where a small percentage of writable third-party SFP transceivers (not purchased from Palo Alto Networks®) stopped working or experienced other issues after you upgraded the firewall to which the SFPs are connected to a PAN-OS 8.1 release. With this fix, you must not reboot the firewall after you download and install the PAN-OS 8.1 base image until after you download and install the PAN-OS 8.1.1 release. For additional details, upgrade considerations, and instructions for upgrading your firewalls, refer to the PAN-OS 8.1 upgrade information.
Fixed an issue where SSL Forward Proxy decryption didn’t work after you excluded every predefined Hostname from decryption (DeviceCertificate ManagementSSL Decryption Exclusion).
Fixed an issue where enabling jumbo frames (DeviceSetupSession) reduced throughput because:
Fixed an issue where the Panorama management server didn't display log data in MonitorLogs, the ACC tab, or reports when Panorama was in a different timezone than the Dedicated Log Collectors because Panorama applied the wrong time filter.
Fixed an issue where, when you tried to export a custom report, and your Chrome or Firefox browser was configured to block popup windows, the firewall instead downloaded a Tech Support File to your client system.
Fixed an issue where the firewall didn't Block sessions with unsupported cipher suites based on Decryption policy rules for SSL Inbound Inspection when the rules referenced a Decryption Profile with a list of allowed ciphers that didn't match the ciphers that the destination server specified (ObjectsDecryptionDecryption Profile). With this fix, the firewall checks the ciphers of both the source client and destination server against the cipher list in Decryption profiles when evaluating whether to allow sessions based on Decryption policy.
Fixed an issue where VM-Series firewalls used the incorrect MAC address in DHCP messages initiated from a subinterface after you configured that subinterface as a DHCP Client (NetworkInterfacesEthernet<subinterface>IPv4) and disabled the Use Hypervisor Assigned MAC Address option (DeviceManagementSetup).
Fixed an issue where firewalls in an active/passive HA configuration took longer than expected to fail over after you configured them to redistribute routes between an interior gateway protocol (IGP) and Border Gateway Protocol (BGP).
Fixed an issue where the firewall web interface displayed a blank DeviceLicenses page when you had 10 x 5 phone support.
Fixed an issue where the firewall didn't generate URL Filtering logs for user credential submissions associated with a URL that was not a container page after you selected Log container page only and set the User Credential Submission action to alert for the URL category in a URL Filtering profile (ObjectsSecurity ProfilesURL Filtering<ULR_Filtering_profile>). With this fix, the firewall generates URL Filtering logs for user credential submissions regardless of whether you enable Log container page only in the URL Filtering profile.
Fixed an issue where the Panorama management server intermittently did not refresh health data for managed firewalls (PanoramaManaged DevicesHealth) and therefore displayed 0 for session statistics.
Fixed an issue where the firewall didn't generate a System log to indicate when the reason that end users couldn’t authenticate to a GlobalProtect portal was a DNS resolution failure for the FQDNs in a RADIUS server profile (DeviceServer ProfilesRADIUS).
Fixed an issue on VM-Series firewalls for Azure where, after the firewall rebooted, some interfaces configured as DHCP clients intermittently did not receive DHCP-assigned IP addresses.
Fixed an issue where endpoint users could not authenticate to GlobalProtect when specifying a User Domain with Microsoft-supported symbols such as the dollar symbol ($) in the authentication profile (DeviceAuthentication Profile).
As an enhancement to improve security for the firewall, the management (MGT) interface now includes the following HTTP security headers: X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy.
Fixed an issue where the GlobalProtect agent failed to establish a TCP connection with the GlobalProtect gateway when TCP SYN packets had unsupported congestion notification flag bits set (ECN or CWR).
|A security-related fix was made to prevent a local privilege escalation vulnerability that allowed administrators to access the password hashes of local users (CVE-2018-9334).|
Fixed an issue where PA-5200 Series firewalls caused slow traffic over IPSec VPN tunnels because the firewalls reordered TCP segments during IPSec encryption.
Fixed an issue where PA-5200 Series firewalls rebooted when you ran the set ssh service-restart mgmt CLI command multiple times.
Fixed an issue where the firewall dropped IPv6 traffic while enforcing IPv6 bidirectional NAT policy rules because the firewall incorrectly translated the destination address for a host that resided on a directly attached network.
Fixed an issue where, in rare cases, the firewall couldn't establish connections with GlobalProtect agents because the rasmgr process stopped responding when hundreds of end users logged in and out of GlobalProtect at the same time.
Fixed an issue where end user accounts were locked out after you configured authentication based on a RADIUS server profile with multiple servers (DeviceServer ProfilesRADIUS) and enabled the gateway to Retrieve Framed-IP-Address attribute from authentication server (NetworkGlobalProtectGateways<gateway>AgentClient Settings<client_settings_configuration>IP Pools). With this fix, instead of requesting framed IP addresses from all the servers in a RADIUS server profile at the same time, the firewall sends the request to only one server at a time until one of the servers responds.
An enhancement was made to improve compatibility for the HTTP log forwarding feature so that you can specify the TLS version that the HTTP log forwarding feature uses to connect to the HTTP server.
To specify the version, use the debug system https-settings tls-version CLI command. (To view the version that is currently specified, use the debug system https-settings command.)
Fixed an issue where firewalls in an active/passive HA configuration didn’t synchronize multicast sessions between the firewall HA peers.
Fixed an issue where PA-7000 Series and PA-5200 Series firewalls didn't properly Rematch all sessions on config policy change for offloaded sessions (DeviceSetupSession).
Fixed an issue where PA-5200 Series firewalls didn’t forward buffered logs to Panorama Log Collectors after connectivity between the firewalls and Log Collectors was disrupted and then restored.
Fixed an issue where the Panorama management server intermittently displayed the connections among Log Collectors as disconnected after pushing configurations to a Collector Group (PanoramaManaged Collectors).
Fixed an issue on a PA-5000 Series firewall configured to use an IPSec tunnel containing multiple proxy IDs (NetworkIPSec Tunnels<tunnel>Proxy IDs) where the firewall dropped tunneled traffic after clear text sessions were established on a different dataplane than the first dataplane (DP0).
Fixed an issue on the Panorama virtual appliance on a VMware ESXi server where VMware Tools failed to start after you upgraded to PAN-OS 8.1.
Fixed an issue where administrators intermittently failed to log in to the firewall because it intermittently restarted processes continuously due to an out-of-memory condition.
Fixed an issue where automatic commits failed after you configured Security policy rules that referenced region objects for the source or destination and then upgraded the PAN-OS software.
Fixed an issue where the firewall didn’t efficiently handle traffic in which the number of Address Resolution Protocol (ARP) packets exceeded the processing capacity of the firewall. With this fix, the firewall handles ARP packets more efficiently.
Fixed an issue on the Panorama virtual appliance for Azure where commit operations failed after you added administrator accounts other than the default admin account, switched from Panorama mode to Log Collector mode, made configuration changes, and then tried to commit your changes. With this fix, Panorama removes all administrator accounts other than the default admin account when you switch to Log Collector mode. Dedicated Log Collectors support only the default admin account.
Fixed an issue on PA-5200 Series firewalls in an active/passive HA configuration where failover took a few seconds longer than expected when it was triggered after the passive firewall rebooted.
Fixed a configuration parsing issue where a default setup of the Authentication Profile caused the firewall to reboot during commit. If the administrator configured the Authentication Profile with any allowed values, including the default values, the configuration committed successfully. The issue was observed on a PA-500 firewall in FIPS-CC mode.
Fixed an issue on firewalls in an HA configuration where an auto-commit failed (the error message was Error:Duplicate user name) after you connected a new suspended-secondary peer to an active-primary peer.
Fixed an issue where VM-Series firewalls stopped displaying URL Filtering logs after you configured a URL Filtering profile with an alert action (ObjectsSecurity ProfilesURL Filtering).
Fixed an issue where User-ID agents configured to detect credential phishing didn’t detect passwords that contained a blank space.
Fixed an issue where, after receiving machine account names in UPN format from a Windows-based User-ID agent, the firewall misidentified them as user accounts and overrode usernames with machine names in IP address-to-username mappings.
Fixed an issue where the VM-Series firewall incorrectly displayed network interfaces as having a Link Speed of 1000 and a Link Duplex set to half when the actual values were different (NetworkInterfaces<interface>Advanced).
Fixed an issue where the firewall couldn't render URL content for end users after you configured GlobalProtect Clientless VPN with a Hostname set to a Layer 3 subinterface or VLAN interface (NetworkGlobalProtectPortals<portal>Clientless VPNGeneral).
Fixed an issue where, after you configured a GlobalProtect gateway to exclude all video streaming traffic from the VPN tunnel, Hulu and Sling TV traffic could not be redirected if you did not configure any security profiles (such as a File Blocking profile) for your firewall Security policies.
Fixed an issue where the firewall applied case sensitivity to the names of shared user groups that were defined in its local database and, as a result, users who belonged to those groups couldn't access applications through GlobalProtect Clientless VPN even after successful authentication. With this fix, the firewall ignores character case when evaluating the names of user groups in its local database.
As an enhancement to improve security for GlobalProtect deployments, the GlobalProtect portal now includes the following HTTP security headers in responses to end user login requests: X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy.
|Fixed an issue in an HA active/active configuration where traffic in a GlobalProtect VPN tunnel in SSL mode failed after Layer 7 processing if asymmetric routing was involved.|
|PAN-85308||Fixed an issue in the output for on-demand custom reports (select MonitorManage Custom Reports<report> and Run Now) where the <column_heading> drop-down displayed a Columns option even though you couldn't add or remove columns. With this fix, the <column_heading> drop-down no longer displays a Columns option.|
Fixed an issue where the firewall dropped packets based on a QoS class even though traffic didn’t exceed the maximum bandwidth for that class.
Fixed an issue where connections that the firewall handles as an Application Level Gateway (ALG) service were disconnected when destination NAT and decryption were enabled.
Fixed an issue where, after end users who haven't yet enrolled in Duo failed to authenticate to a GlobalProtect portal that used a RADIUS server integrated with Duo for multi-factor authentication, the portal login page displayed Invalidusername or password as the authentication error instead of displaying a Duo enrollment URL so that the users could enroll.