PAN-OS 8.1.12 Addressed Issues

Fixed an issue where an XML API call incorrectly masked the response, which prevented role based administrators from running the response.

Fixed an issue where after you switched the Context from Panorama™ to a firewall, the DESTINATION ZONE (PoliciesSecurity<policy-name>Destination) incorrectly displayed none.

Fixed an issue on Panorama M-Series and virtual appliances where the <show><object><registered-ip></registered-ip></object></show> XML API call did not retrieve more than 500 entries.

Fixed an issue where the DNS packet parser incorrectly processed DNS packet headers when the QD count was 0. With this fix, the DNS packet parser aborts processing when QD!= 1.

Fixed an issue where a large number (65,000) of GlobalProtect™ user connections caused a process (sslvpn) to stop responding after you upgraded from PAN-OS® 8.1.10 to PAN-OS 8.1.11.

Fixed an issue where an incorrect commit job in the queue caused the FQDN to display Not resolved after you performed a commit.

(PA-7000 Series firewalls only) Fixed an issue where internal path monitoring failures occurred due to either a buffer leak or buffer corruption.

(PA-5250, PA-5260, and PA-5280 firewalls with 100GB AOC cables only) Fixed an issue where after you upgraded the first peer in a high availability (HA) configuration to PAN-OS 8.1.9-h4 or a later] release, the High Speed Chassis Interconnect (HSCI) port did not come up due to an FEC mismatch until after you finished upgrading the second peer.

Fixed an issue where a purge script stopped responding, which caused a process (logrcvr) to discard incoming logs.

Fixed an intermittent issue where the default route did not redistribute to an OSPF Not-So-Stubby Area (NSSA).

Fixed an issue on a VM-Series firewall deployed in Microsoft Azure where the CPU ID and serial number changed after you upgraded from PAN-OS 8.0.13 to PAN-OS 8.1.9-h4.

(PA-7000 Series firewalls only) Fixed an issue where internal path monitoring failed when the firewall processed corrupt packets.

Fixed an issue where a process (all_pktproc) stopped responding due to a NULL pointer exception while cleaning up SSL proxy sessions previously configured for GlobalProtect.

(PAN-OS 8.1.10 and later releases only) Fixed an issue where the data from Security policies did not export as expected.

Fixed an intermittent issue where after you configured Cache EDNS Responses (NetworkDNS Proxy<DNS Proxy-name>Advanced) a process (dnsproxy) stopped responding.

Fixed an issue where the firewall did not match the Security policy when you configured the match condition to a shared local group.

Fixed an issue where a process (openssl) caused higher than expected management CPU usage due to the incompletion of the Online Certificate Status Protocol (OCSP) during the logging service certificate validation.

Fixed an issue on a firewall in an HA active/passive configuration where a daemon (routed) did not receive the updated interface status after an HA failover, which caused routes to remain in the routing and FIB tables.

Fixed an issue where multiple No valid URL filtering license warning messages were generated during a commit due to an expired URL filtering license. With this fix, the warning messages are grouped into a single message per virtual system (vsys).

Fixed an issue where commits failed and displayed the following error message: priority is invalid when you configured the GlobalProtect priority to None.

Fixed an issue on VM-Series firewalls where the firewall dropped all traffic traversing from the dataplane to the management plane.

Fixed an issue on a firewall in an HA active/passive configuration where the route to the passive firewall dropped during a failover.

Fixed an issue where the real-time clock (RTC) battery voltage exceeded the maximum threshold and triggered alerts in the system log.

Fixed an issue on Panorama M-Series and virtual appliances where after you configure the firewall with an API call commits took longer than expected.

Fixed a configuration lock issue where you were unable to log in after you upgraded from PAN-OS 8.1.6 to PAN-OS 8.1.9.

Fixed an issue where traffic logs that contained incorrect Security policies were generated during an active commit process when the Security policies were being added or removed.

Fixed an issue where new logs were not ingested due to a buffer exhaustion condition caused by invalid messages incorrectly handled by elastic search.

A fix was made to address a missing XML validation vulnerability in the PAN-OS web interface (CVE-2020-1975).

Fixed an issue where the firewall dropped pre-VLAN spanning tree (PVST+) packets from the virtual wire interface when you executed the set session rewrite-pvst-pvid yes CLI command.

A fix was made to address an authentication bypass vulnerability in the Panorama context switching feature (CVE-2020-2018).

(PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls running PAN-OS 8.1.11 only) Fixed an intermittent issue where a process (all_pktproc) stopped responding due to a Work Query Entry (WQE) corruption that was caused by duplicate child sessions.

Fixed an issue where the Dashboard did not display the release dates for Application Version, Threat Version, and Antivirus Version.

Fixed an issue on a firewall running snmpwalk where 100GB interfaces were incorrectly displayed as 1GB.

Fixed an issue on a firewall in an HA active/passive configuration where a process (useridd) restarted multiple times and caused the firewall to reboot.

Fixed an issue where a process (mprelay) stopped responding.

Fixed an issue on Panorama M-Series and virtual appliances where the firewall stopped forwarding logs to Cortex Data Lake after you upgraded the cloud services plugin to 1.4.

Fixed an issue where the firewall incorrectly logged target filenames when an antivirus signature was triggered over a Server Message Block (SMB) protocol.

Fixed an issue where the firewall did not respond to TCP DNS requests when the firewall acted as a DNS proxy.

Fixed an issue where the DHCP server incorrectly processed bootp unicast flag requests.

Fixed an issue where parent sessions were dropped while installing a duplicate predict session.

(PA-3200 Series and PA-5200 Series firewalls only) Fixed an issue where the firewall did not capture inbound Encapsulating Security Payload (ESP) protocol 50 packets at the receive stage.

(PA-800 Series and PA-220 firewalls only) Fixed an issue where the hrProcessorLoad.2 OID displayed incorrect values.

(PA-7000 Series firewalls using PA-7000-20G-NPC cards only) Fixed an issue where the firewall restarted due to an internal path monitoring heartbeat failure during periods of more than expected traffic load.

(PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only) Fixed an issue where the dataplane sent positive acknowledgments to predict-status checks from FPP when the corresponding predict was deleted, which caused SIP and RTSP applications to perform less than the expected achievable performance.

Fixed an issue where downloading the GlobalProtect app software on your GlobalProtect portal took longer than expected.

Fixed an intermittent issue where the dataplane stopped responding when processing compressed traffic.

Fixed an issue where a process (routed) stopped responding when you configured virtual interfaces.

Fixed an issue where certificate revocation list (CRL) and Online Certificate Status Protocol (OCSP) checks did not respond as expected when you configured Block session if certificate status is unknown.

Fixed an issue on a firewall in an HA active/passive configuration where after you submitted a host information profile (HIP) report a duplicate User-ID™ log was generated on the passive firewall.

Fixed an issue where the Security Parameter Index (SPI) size was incorrectly set in the IKE Phase 2 packet when you configured commit-bit on the neighboring device, which caused IKE negotiations to fail on the neighboring device.

Fixed an issue where URL filtering blocked web traffic by the security policy that did not have URL filtering enabled.

Fixed an issue on VM-Series firewalls where the ager ran faster than expected, which prematurely caused the master key to expire.

A fix was made to address an external control of path and data vulnerability in the Palo Alto Networks Panorama XSLT processing logic (CVE-2020-2001).

Fixed an issue where the firewall caused unnecessary fragmentation when traffic and tunnel were content inspected, which caused retransmission and slowed response time.

Fixed an issue where you were unable to view DHCP leases from the web interface or through the show dhcp server lease interface all CLI command due to the request taking longer than expected, which resulted in a time out.

Fixed an issue where Panorama did not send correlation events and logs to the syslog server after you upgraded the firewall from PAN-OS 8.0.9 to PAN-OS 8.1.7.

Fixed an issue where the firewall incorrectly forwarded incomplete and corrupted files through the Server Message Block (SMB) protocol to WildFire.

Fixed an issue on a firewall in a high availability (HA) active/passive configuration where a process (flow_ctrl) received and restarted due to a malformed ICMPv6 neighbor advertisement packet.

Fixed an issue where you were not redirected to the application URL after authentication.

Fixed an issue where the firewall incorrectly calculated the TCP segment size when performing forward proxy decryption.

Fixed an issue where Discover (DeviceUser IdentificationUser MappingServer Monitoring) stopped responding after you configured a DNS proxy.

Fixed an issue where corrupt logs caused buffered log forwarding to stop responding.

Fixed an issue on Panorama M-Series and virtual appliances where communication between two processes (mgmtsrvr and logd) stopped responding.

An enhancement was made to improve subsequent loading times of device groups after the first load.

Fixed an issue on Panorama M-Series and virtual appliances where custom reports from the User-ID log displayed the incorrect receive date.

Fixed an issue where a daemon (dnsproxy) incorrectly handled TCP requests, which caused the daemon (dnsproxy) to stop responding.

Fixed an issue where a process (panio) caused more than expected CPU consumption.

Fixed an issue where local user group names that contained upper case characters were not converted to lower case characters prior to encoding, which caused the firewall not to load user groups names with upper case characters.

Fixed an issue where the BGP Conditional Advertisement suppress condition was not met, which caused the Conditional Adv (NetworkVirtual Routers<router-name>BGP) not to apply the NEXT HOPS prefix range.

Fixed an issue on a firewall in a high availability (HA) active/active configuration where larger than expected packets sizes were silently dropped when traversing through an HA3 link in an asymmetric network.

Fixed an issue where the GlobalProtect portal used an outdated jQuery library.

(PA-5200 Series firewalls only) Fixed an issue where applications using the GlobalProtect Clientless VPN did not respond when the Clientless VPN used a VLAN interface.

Fixed an issue where pushed template configurations were overridden when you made a configuration change in the Master Key Lifetime (Device Master Key and DiagnosticEdit) field.

(PA-5200 Series firewalls only) Fixed an issue where the show system logd-quota CLI command did not display the Session log storage Quotas as expected.

Fixed an issue where you were unable to generate WildFire analysis reports in the WildFire Submissions log when you configured Proxy Server (DeviceSetupServicesGlobal).

Fixed an issue where traffic logs and URL Filtering logs did not display the URL for decrypted traffic.

Fixed an issue where the Security Assertion Markup Language (SAML) for GlobalProtect did not respond as expected when you configured the IdP certificate as None on the SAML IdP server profile.

Fixed an issue where an API call against a Panorama management server, which triggered the request analyze-shared-policy command caused Panorama to reboot after you executed the command.

Fixed an issue on Panorama M-Series and virtual appliances where User Activity Report (MonitorPDF Reports) did not generate reports as expected.

Fixed an issue where some packets had incorrect timestamps in the transmit stage during packet capture.

Fixed an issue where the firewall did not exclude video traffic from the GlobalProtect tunnel when you configured Exclude video traffic from the tunnel (Windows and macOS only) (NetworkGlobalProtectGateways<gateway-name>AgentVideo Traffic).

An enhancement was made to enable administrators to select signature and digest algorithms for outgoing Security Assertion Markup Language (SAML) messages through a CLI command.

Fixed an Issue where the dataplane stopped responding due to an incorrect parsing of cookies for GlobalProtect Clientless VPN applications.

Fixed an issue on a firewall in an HA active/active configuration where virtual MAC addresses pushed from Panorama were overridden on the local firewall.

Fixed an issue where the firewall did not release the default DHCP route when a new IP address was obtained on a DHCP configured interface.

Fixed an issue where GlobalProtect authentication failed when you used the domain in the group mapping and a User Principle Name (UPN) format for authentication.

Fixed an issue on a firewall in a high availability (HA) active/active configuration where the names of the virtual routers were pushed from the active-primary firewall to the active-secondary firewall when you sync the configuration, which caused schema verification to stop responding when you do a local commit on the active-secondary firewall.

Fixed an issue where vsysadmins were unable to view the locks on all the virtual systems they were assigned to. To view the locks in CLI run the new show commit-locks vsys and show config-locks vsys CLI commands.

Fixed an issue where a process (configd) exceeded the memory limit and stopped responding.

Fixed an issue on Panorama M-Series and virtual appliances where memory utilization increased more than expected when you deleted several rules with an XML API delete command.

Fixed an issue where you were unable to establish an SSH session through a CLI command using a Diffie-Hellman (DH) algorithm.

Fixed an issue where the date in the GlobalProtect HTTP header was incorrectly set to a random date instead of a zero ( 0 ), which negatively and falsely impacted security scorecard ratings.

Fixed an issue where authentication failed for newly added groups in the authentication profile Allow List.

(PA-5200 Series firewalls only) Fixed an issue on a firewall in a high availability (HA) active/passive configuration where an HA1 heartbeat backup connection flap occurred and displayed the following error message: ha_ping_send/No buffer space available.

(PA-7000 Series firewalls using PA-7000-20G-NPC or PA-7000-20GQ-NPC cards only) Fixed an intermittent issue on a firewall in an HA active/passive configuration where traffic interruptions occurred until you triggered a manual failover.

Fixed an issue where a process (mprelay) stopped responding and invoked an out-of-memory (OOM) killer condition and displayed the following error messages: tcam full and pan_plfm_fe_cp_arp_delete.

Fixed an issue where traffic traversing through an IPSec tunnel did not use the default maximum interface bandwidth, which caused the traffic to traverse through the IPSec tunnel with latency.

Fixed an issue where more than expected re-connection attempts to Cortex Data Lake caused the management plane CPU to spike and caused a process (mgmtsrvr) to stop responding.

Fixed an issue where SSL renegotiation sessions incorrectly identified URL categories.

An enhancement was made to enable you to configure syslog parameters through the CLI debug command. To view the available parameters and change the configurations, run the debug syslogng-params settings CLI command and perform a commit force to apply the edits.

Fixed an issue where the firewall was unable to access the CPU information and caused the CPU frequency to set to 0, which resulted in a divide by zero error and caused a process (devsrvr) to stop responding.

Fixed an issue where the system log incorrectly reported intermittent certificate revocation list (CRL) fetches as successful even though the fetches were not successful.

Fixed an intermittent issue where a process (useridd) incorrectly reported successful Ops commands and did not download Dynamic Address Group updates, which prevented virtual machines from updating Dynamic Address Groups.

Fixed an issue where a process (mgmtsrvr) stopped responding when another process (masterd) sent a signal interruption after you upgraded from a PAN-OS 8.0 release to a PAN-OS 8.1 release.

Fixed an issue where Panorama displayed incorrect device monitoring values (PanoramaManaged DevicesHealth) for the firewall.

Fixed an issue where the firewall restarted when you unplugged the QSFP+ module from the High Speed Chassis Interconnect (HSCI) port.

Fixed an issue where an application dependency warning incorrectly displayed when you configured negate-source yes on a security rule to deny an application.

Fixed an issue on Panorama M-Series and virtual appliances where you could not add and generate a certificate as expected.

Fixed an issue where the Online Certificate Status Protocol (OCSP) check stopped responding when the leaf certificate was sent twice in the OCSP request.

Fixed an issue where the firewall tried to resolve deleted FQDN address objects after an FQDN refresh.

Fixed an issue on a firewall in an HA active/active configuration where ARP entries were removed from a floating IP address on an Ethernet interface when you deleted another floating IP address on the same Ethernet interface.

An enhancement was made to enable you to set the signing algorithm to sha-1 or sha-256 in the Security Assertion Markup Language (SAML) message on the firewall.

Fixed an issue where VM-Series firewalls were unable to support the maximum number of tunnel interfaces due to less than expected memory allocation.