PAN-OS 8.1.11 Addressed Issues
PAN-OS® 8.1.11 addressed issues
Fixed an issue where the
show wildfire global last-device-registration allCLI command incorrectly returned an error message:
Failed, even when you registered the firewall correctly.
Fixed an issue where log in and commits took longer than expected when you used XML API calls to create new address objects.
An enhancement was made to improve firewall performance for stream control transmission protocol (SCTP) flows. To enable this enhancement, run the
set sctp fast-sack yesCLI command.
An enhancement was made to enable you to configure IPv6 in the web interface and through a CLI command when you added IPv6 virtual addresses to a firewall in a high availability (HA) active/active configuration.
An enhancement was made to enable you to delete the GTP-C tunnel with all GTP-U tunnel sessions after the firewall received a Delete Bearer Response message where default bearer ID=5. To enable this enhancement, run the
set gtp ebi5-del-gtpc [yes/no]CLI command.
Fixed an issue where the timer system call activated more frequently than expected, which caused higher than expected CPU usage.
Fixed an issue on VM-Series firewalls in an HA active/passive configuration where the active firewall leaked packet buffers when links were disconnected from the hypervisor.
PA-5200 and PA-7000 Series firewalls only) Fixed an issue where conflicting GTP sessions were installed in short interval, which caused the firewall to queue GTP packets and deplete packet buffers.
Fixed an issue where an administrator with a Superuser role could not reset administrator credentials.
Fixed an issue where the
Wildfire Analysis Reportincorrectly displayed the following error message:
You are not authorized to access this page on the web interface.
PA-5260 firewalls only) Fixed an issue where a process (mpreplay) stopped responding after a commit when you configured the firewall with more than 200 virtual systems (vsys) running on PAN-OS® 8.1.9.
Fixed an issue where VM-Series firewalls on Microsoft Azure experienced traffic latency due to an incompatible driver.
Fixed an issue where the BGP did not remove the IPv6 default route from the forwarding table after the route was withdrawn.
Fixed an issue on Panorama M-Series and virtual appliances where a validation job triggered a memory leak in a process (configd), which caused context switching between Panorama and the web interface to respond slower than expected.
Fixed an issue where the firewall only reported a maximum of two logs when you configured more than two hardware security modules (HSM).
Fixed an issue on Panorama M-Series and virtual appliances where partial commits did not apply configuration changes as expected.
PA-7000 Series firewalls using PA-7000-20G-NPC cards only) Fixed an intermittent issue where an out-of-memory (OOM) condition caused the dataplane or internal path monitoring to stop responding.
Fixed an issue on Panorama M-Series and virtual appliances where objects were not compressed, which caused higher than expected CPU and memory usage.
Fixed an issue where the DNS packet parser incorrectly processed DNS packet headers when the QD count is 0, which caused the DNS server to stop responding.
PA-5050 firewalls only) Fixed an intermittent issue where an out-of-memory (OOM) condition caused the dataplane or internal path monitoring to stop responding. With this fix, session capacity is reduced by 400,000.
Fixed an intermittent issue where the firewall dropped sessions that used a large number of predict sessions.
Fixed a rare issue where the
show runningCLI commands for policy addresses caused file descriptor leaks.
Fixed an issue where an inaccurate sequence number check for an RST packet caused the packet to drop.
Fixed an issue where the firewall incorrectly enforced URL category policies and erroneously triggered
Fixed an issue on a firewall in an HA active/active configuration where Oracle traffic SYN packets dropped intermittently with the
Fixed a memory allocation issue that prevented URL filtering logs from displaying the full URL.
Fixed an issue on Panorama M-Series and virtual appliances where shared policies were out of sync due to an empty stream control transmission protocol (SCTP) after you upgraded the firewall from PAN-OS 8.0.16 to PAN-OS 8.1.8.
Fixed an issue on firewalls configured with authentication policies where UDP and ICMP packets matching an authentication policy did not generate traffic logs as defined in the Security policy when sessions were redirected or denied.
Fixed an issue on a firewall in an HA active/passive configuration where a process (all_pkts) stopped responding and the dataplane restarted due to an internal path monitoring failure and an HA failover event.
Fixed an issue where administrators were unable to export Security Assertion Markup Language (SAML) metadata files from virtual system (vsys) specific authentication profiles.
Fixed an issue where LDAP authentication failed when you configured the authentication server with an FQDN.
Fixed an issue where commits failed when you moved an object referenced in a policy to a shared group.
Fixed an issue where the firewall was unable to detect the hardware security module (HSM), which caused the firewall to drop SSL traffic.
PA-3050 and PA-3060 firewalls only) Fixed an issue where a higher than expected number of
flow_fpga_flow_updatemessages occurred when you configured QoS.
Fixed an issue where job threads were deadlocked, which prevented log in attempts and displayed the following error message:
CONFIG_LOCK: write lock TIMEDOUT for cmd.
Fixed an issue where the BGP aggregate prefix, which is advertised to multiple BGP peers was removed from RIB OUT when you disabled one of the BGP peers.
Fixed an issue where community attributes to BGP routes had a character limit of 31 characters, which caused expressions to take longer than expected to process.
Fixed an issue where eBGP peers connected by a VPN tunnel failed to come up when you configured eBGP
Fixed an issue on Panorama M-Series and virtual appliances where you were unable to configure
Enable X-Auth Support(
) at the Template-stack level.
Fixed an issue where the firewall sent empty attributes in the LDAP query when you did not configure
Alternate Username 1 - 3(
) in the User Attributes web interface.
Group Mapping Settings
User and Group Attributes
Fixed an issue where you were unable to deploy bootstrapped content in offline environments due to content validity checks.
Fixed an issue where an API call for correlated events did not return any events.
Fixed an issue where the firewall logged URL categories configured for Allow in the URL filtering logs.
An enhancement was made to enable firewalls, Panorama management servers, and log collectors running a PAN-OS 8.1 release to receive new App-ID™ signatures in the new ID signature range (7,020,001 to 7,040,000). To enable this enhancement, you must reinstall the current content update or install a later content update.
Fixed an issue where commits failed after you upgraded from PAN-OS 8.0.16 to PAN-OS 8.1.6 due to an invalid encryption state for a host information profile (HIP) object.
Fixed an issue where the firewall was unable to authenticate when you pushed a public key from Panorama.
Fixed an issue where the FQDN address object (
) displayed the following unrelated error:
<FQDN-name> Not used.
Fixed an issue where DNS names with more than 63 characters did not resolve FQDN address objects during an FQDN refresh.
Fixed an issue where the
show system infoCLI command incorrectly displayed
Fixed an issue on a firewall where a bypass switch sent heartbeat messages to the firewall, which triggered non-stop link status change interrupts through a Marvell switch.
Fixed an issue where data logs were generated but the firewall did not forward the logs to the syslog server.
Fixed an issue where predict sessions were incorrectly created with a
captive-portal zone, which caused the firewall to drop RTP traffic.
Fixed an issue where an incorrect predict session was created when a policy-based forwarding (PBF) policy was used without a NAT in the parent session, which caused the firewall to drop RTP and RTCP packets.
Fixed an issue where the Username Modifier
%USERDOMAIN%\%USERINPUT%enabled you to log in to a locked out user account.
Fixed an issue where commits failed and displayed the following error message:
Commit job was not queued. All daemons are not available.
Fixed an issue where temporary download files were deleted before a download job was completed, which caused the progress bar to remain at 0% and prevented a timeout when downloads fail.
Fixed an issue where the firewall did not resolve an external dynamic list server address when the DNS proxy configured it as a static entry.
Fixed an issue on Panorama M-Series and virtual appliances where scheduled uploading and installation of WildFire® content meta files to WF-500 appliances failed and displayed the following error message:
device not supported.
Fixed an issue where the
debug management-server summary-logs flush-options max-keysCLI command did not persist through a system reboot.
A change was made to limit debug log visibility to superusers only.
Fixed an issue on Panorama M-Series and virtual appliances where
) did not appear in the
Interfacedrop-down menu when you tried to configure a Decryption Profile.
Fixed an issue on a firewall in an HA active/passive configuration where a split-brain condition occurred after you upgraded from PAN-OS 8.1.3 to PAN-OS 8.1.6.
Fixed an issue where Panorama was unable to query logs forwarded from the firewall to the log collector.
Fixed an issue where renaming a template stack did not change the value and reset to the original value after you commit the change.
Fixed an issue where extended packet capture (pcap) for threat logs caused a process (mgmtsrvr) to stop responding.
Fixed an issue where the firewall dropped TCP trace route traffic after you upgraded to PAN-OS 8.1.5. To leverage this fix, run the
set session tcp-reject-diff-syn noCLI command.
Fixed an issue where a larger than expected number of
Could not find entry for interface ethernet1/<interface>.<subinterface> in CPS tablefilled the snmpd.log, which caused the log file to rotate more frequently than expected.
Fixed an issue where Panorama incorrectly deleted valid device group directories and was unable to generate reports.
Fixed an issue where the Throughput column (
) was incorrectly labeled.
PA-5200 Series firewalls only) Fixed an issue where the total entries for the URL filtering allow list, block list, and custom categories was incorrectly changed to a 100,000 entries limit.
Fixed an issue where you were unable to access a firewall due to a defective small form-factor pluggable (SFP)/SFP+ module inserted into the firewall.
Fixed an issue where the firewall did not capture the number of packets in the threat packet capture (pcap) as configured in the extended packet capture length setting.
Fixed an issue on Panorama M-Series and virtual appliances configured as log collectors where SSH did not respond after you enabled SSH on ethernet1/1.
Fixed a rare issue where an incorrect User-ID™ match to the respective LDAP group caused a security policy mismatch.
Fixed an issue on a firewall in an HA active/passive configuration where you were unable to synchronize configurations or dynamic updates between HA pairs.
Fixed a memory leak issue on a firewall during a commit, which prevented the firewall from generating GlobalProtect client configurations.
Fixed an issue where the firewall dropped Session Initiation Protocol (SIP) registration packets, which caused SIP sessions to fail.
Fixed an issue where a typo in the MIB definition file caused an error message:
ERROR: Cannot find symbol panSctpDIamAvpCodewhen you loaded a PAN-TRAPS.my file.
Fixed an issue on a firewall configured with a GlobalProtect gateway where after you upgraded from a PAN-OS 7.1 release to a PAN-OS 8.0 or later release and committed the configuration, the following error message displayed:
SSLVPN: Invalid access-routess (null) in tunnel GPgateway-N.
Fixed an issue where when you configured the
URL Filtering Profile(
Sharedall custom URL categories pushed displayed on the web interface and returned the following error message:
test -> credential-enforcement -> allow 'Blocked-Category-Exceptions' is not valid reference test -> credential-enforcement -> allow is invalid.
Fixed an issue where the VPN tunnel operational status incorrectly displayed “
up" even though the VPN tunnel is down.
Fixed a rare issue on a firewall in an HA active/passive configuration running in FIPS-CC mode where the passive firewall rebooted in to maintenance mode.
Fixed an issue where the firewall did not detect duplicate Destination/Source IP Addresses entered into the
Security Policy Rule.
Fixed an issue where a process (useridd) ran out of file descriptors and stopped responding due to the rate of concurrent Security Assertion Markup Language (SAML) requests initiated by Authentication policy rules.
Fixed an issue on Panorama M-Series and virtual appliances where CLI commands returned the following error message:
Error: Timed out while getting config lock. Please try againwhen a commit job was not pending.
An enhancement was made to enable the firewalls and Panorama M-Series and virtual appliances to set the SameSite attribute to
Strictand the GlobalProtect portal to set the SameSite attribute to
Fixed an issue where the firewall did not detect all threat sessions while the App and Threat content installation was processed.
VM-Series NSX edition firewalls only) Fixed an issue where the existing logs for dynamic address updates had insufficient information to debug the root cause of a bug and where the dynamic address update logs were larger than expected, which caused the file to roll over every five minutes and did not provide a sufficient log history to debug issues.
PA-5200 Series and PA-3200 Series firewalls only) Fixed a rare issue where invalid packets caused the firewall to stop responding as expected when you configured the dataplane port to traverse HA3 traffic.
Fixed an issue on a firewall where repeated failed validation errors were reported for validated configurations due to a race condition.
Fixed an issue on a firewall in an HA active/passive configuration where a process (pan_comm) stopped responding when you configured an external dynamic list, which caused commits to fail and displayed the following error message:
failed to handle CONFIG_UPDATE_START.
Fixed an issue where the Security Assertion Markup Language (SAML) schema size limit (100,000 characters) prevented the SAML Identity Provider Server Profile Import (
) from importing SAML metadata.
SAML Identity Provider
Fixed an issue where a process (configd) exceeded the virtual memory usage limit and caused the firewall to restart. With this fix, you must run the
debug management-server system globalfind disable-db-lookupand
debug management-server system appweb-thread-count enhancecommands.
Fixed an issue where Panorama did not send the preference list to managed firewalls, which caused logs to be forwarded to the CMS instead of the log collector.
Recommended For You
Recommended videos not found.