PAN-OS 8.1.13 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 8.1.13 Addressed Issues
PAN-OS® 8.1.13 addressed issues.
Issue ID | Description |
---|---|
PAN-136698 | Fixed an issue where a process (all_pktproc) stopped
responding and the dataplane restarted when the firewall processed
a malformed GPRS tunneling protocol (GTP) packet. |
PAN-135260 | (PA-7000 Series firewalls running PAN-OS
8.1.12 only) Fixed an intermittent issue where the dataplane
process (all_pktproc_X) on a Network Processing Card
(NPC) restarted when processing IPSec tunnel traffic. |
PAN-134678 | (PA-5200 Series firewalls only)
Fixed an issue where the Quad Small Form-factor Pluggable (QSFP)
28 ports 21 and 22 did not respond when plugged in with a Finisar
100G AOC cable. |
PAN-133582 | Fixed an issue on the firewalls where some
Dynamic Address Groups pushed from Panorama were missing member
IP addresses. |
PAN-133440 | Fixed an issue where fragmented traffic
caused high dataplane use and firewall performance issues. |
PAN-133436 | Introduced the clear url-cache all CLI
command to aggressively clear the dataplane URL cache. |
PAN-133378 | Fixed an issue in Panorama where a process (configd)
restarted during a commit using a RADIUS super admin role. |
PAN-133048 | (PA-5200 and PA-7000 Series only)
Fixed an issue where traffic was processed asymmetrically when using
Internet Protocol (IP) classifiers on virtual wire (vwire) subinterfaces. |
PAN-133042 | (PA-5200 and PA-7000 Series only)
Fixed an issue where certain GPRS tunneling protocol (GTP) traffic
was dropped even when gtp nodrop was
enabled. |
PAN-131993 | Fixed an issue where a process (reportd) stopped
responding while running a log query. |
PAN-131907 | Fixed an issue where GPRS tunneling protocol
(GTP) version 2 handling was unable to handle fully qualified tunnel
endpoint IDs (FTEID) coming in reverse order, leading to GTP-C and
GTP-U flows with incorrect IP addresses and tunnel endpoint IDs
(TEIDs). This caused a GTP stateful inspection failure for further
packets on the respective flows. |
PAN-130773 | Fixed an issue where users saw a page with
a random phone number for authentication and could not proceed further
in the authentication process when multi-factor authentication (MFA)
was configured as the authentication portal. |
PAN-130640 | Fixed an issue where the management plane
CPU was high due to index generation on summary logs. |
PAN-130573 | Fixed an issue where the software pool for
Regex results was depleted and caused connection failures. |
PAN-130447 | Fixed an issue where offloaded traffic was
dropped by the firewall every time there was an explicit commit (Commit on
the firewall locally or Commit All Changes in
Panorama) or an implicit commit (Antivirus update, Dynamic Update,
or WildFire update, and so on) was performed on the firewall. |
PAN-130345 | Fixed an issue where the Panorama VM rebooted
while filtering for configuration logs when the query value was
not one of the predefined string results. |
PAN-130290 | Fixed an issue where in the web interface,
traffic logs did not display the destination zone (Monitor
> Logs > Traffic > To Zone) for multicast sessions. |
PAN-130262 | Fixed a rare issue where 200 OK messages
were dropped during the offload of traffic for App-ID inspection. |
PAN-130229 | Fixed an issue on Panorama appliances where
you could not change maximum transmission unit (MTU) values from
the web interface and displayed the following error message: Malformed Request. |
PAN-130069 | Fixed an issue where the firewall incorrectly
interpreted an external dynamic list MineMeld instability error
code as an empty external dynamic list. |
PAN-129658 | Fixed an issue where GTP inspection stopped
functioning after unrelated changes in policy and a commit followed
by a high availability (HA) failover. |
PAN-129518 | Fixed an issue where the firewall restarted
due to an out-of-memory condition caused by a leak in a process (ikemgr). |
PAN-129490 | Fixed an issue where CRL/OCSP verifications
failed due to requests routing through the management interface
even when service route was configured. |
PAN-128908 | If an admin user password was changed but
no commit was performed afterward, the new password did not persist
after a reboot. Instead, the admin user could still use the old
password to log in, and the calculation of expiry days was incorrect
based on the password change timestamp in the database. |
PAN-128856 | Fixed an issue where the disk usage calculation
was getting corrupted and purging logs. |
PAN-128717 | Fixed an issue in Panorama where after switching
context to a managed device, the session idle timeout was not being
updated, and the web session timed out even when the administrator
was actively working. |
PAN-128248 | A fix was made to address a vulnerability
with a race condition due to an insecure creation of a file in a
temporary directory in PAN-OS (CVE-2020-2016). |
PAN-127087 | Fixed an issue in the firewalls where a
push operation (Commit All Changes) from
Panorama failed on the passive firewall when pushing a large number
of security policy additions to both firewalls in an HA pair. |
PAN-126412 | Fixed an issue where hardware security model
(HSM) authentication from the web interface failed if the password
contained an ampersand (&). |
PAN-126278 | Fixed an issue where a burst of VLAN-tagged
packets in a congested system caused an overflow and locked up the
firewall. The threshold has been increased with this fix. |
PAN-126202 | Fixed an issue where a process (routed)
stopped responding when users accessed the web interface to view
the OSPF interface data (Network > Virtual Routers >
More Runtime Stats > OSPF > Interface) if OSPF MD5 was configured
in the OSPF Auth profile. |
PAN-126069 | Fixed an issue in Panorama where logs couldn't
be viewed when an additional log collector was configured in the
existing log collector group. |
PAN-126017 | Fixed an issue where set application dump on rule CLI
command did not accept rule names greater than 32 characters despite
a stated limit of 63 characters. |
PAN-125804 | A fix was made to address an issue where
an OS command injection vulnerability in the PAN-OS management server
allowed authenticated administrators to execute arbitrary OS commands
with root privileges when uploading a new certificate in FIPS-CC
mode (CVE-2020-2028). |
PAN-125546 | Fixed an issue where a process failed to
restart even when the system logs displayed the following message: virtual memory exceeded, restarting. |
PAN-125306 | Fixed an issue where a Transmission Control
Protocol (TCP) connection reuse was incorrectly handled by a high
availability (HA) active/active cluster with asymmetric flows. |
PAN-125243 | Fixed an issue where the VM-Series firewall
restarted due to a deadlock condition occurring when processing
QoS-enabled L7 traffic. |
PAN-125194 | Fixed an issue where system startup failed
when the collector group was configured with an incorrect serial
number of invalid length. |
PAN-125122 | A fix was made to address a cleartext transmission
of sensitive information vulnerability in Palo Alto Networks PAN-OS
and Panorama that disclosed an authenticated PAN-OS administrator's
PAN-OS session cookie (CVE-2020-2013). |
PAN-125032 | Fixed an issue when Minimum Password Complexity was Enabled for
all local administrators, the setting was also applied to plugin
users. This caused API calls from plugin users to fail (HTTP Error code 502)
because the password change was not made for the users and authentication
failed. |
PAN-124802 | Fixed an issue where LACP connectivity issues
were observed due to high CPU utilization when multiple dataplanes
were used. |
PAN-124621 | A fix was made to address an issue where
an OS command injection vulnerability in the PAN-OS web management
interface allowed authenticated administrators to execute arbitrary
OS commands with root privileges by sending a malicious request
to generate new certificates for use in the PAN-OS configuration (CVE-2020-2029). |
PAN-124495 | Fixed an issue on Panorama where the task
manager showed locally executed jobs but did not show tasks or jobs
pushed to managed firewalls. |
PAN-124428 | Fixed an issue where Address Resolution
Protocol (ARP) randomly failed on one of the interfaces for a firewall
deployed in the KVM/GCP/ESXi clouds. |
PAN-124087 | Fixed an issue where GPRS tunneling protocol
(GTP) v2 protocol handling was not able to handle the secondary
Modify Bearer Request/Response in the GTP-C session. |
PAN-123858 | Fixed an issue on firewalls where a process (useridd)
restarted while processing incorrect ip-user mappings
that contained blank usernames from User-ID agents. |
PAN-123843 | Fixed an issue for Cloud/VM platforms where
the tunnels between the log collectors did not come up when a public
IP was used for the log collectors in an environment with a Panorama
management server and two or more log collectors. |
PAN-123830 | Fixed an issue where the GlobalProtect™
portal used an outdated getbootstrap version. |
PAN-123747 | Fixed an issue where App-ID signatures failed
to match when there were more than 12 partial App-ID matches within
the same session. |
PAN-123736 | Fixed an issue where Create Session Request
message looped internally causing continuous packet inspection and
consuming firewall resources. |
PAN-123391 | A fix was made to address a predictable
temporary file vulnerability in PAN-OS (CVE-2020-1994). |
PAN-123295 | Fixed an issue where the dataplane restarted
due to a race condition when a configuration push and a Netflow
update occurred simultaneously. |
PAN-122909 | Fixed an issue on the firewalls where enabling SSL Forward
Proxy using the hardware security module (HSM) led to
intermittent failure while loading random secure websites with the following
message: ERR_CERT_INVALID. This occurred mainly
with servers presenting ECDSA certificates. |
PAN-122872 | Fixed an issue where the Aggregate Ethernet
(AE) subinterface showed a different status from the AE parent interface. |
PAN-122565 | Fixed an issue where a log collector with
a dynamically assigned IP address could not establish communication
between other log collectors. |
PAN-121827 | Fixed an issue where allow lists and auth
profiles in multi-vsys systems would not allow a user to be identified
in user groups.Users would show as Not in allow list because
the multi-vsys (vsys1) was shown as vsys0. |
PAN-121822 | Fixed an issue with certificate authentication
where only the topmost certificate was used to validate the client
certificate. |
PAN-121596 | Fixed an issue where the OSPF protocol didn't
choose the correct loopback address for the forwarding address in
the Not-So-Stubby Area (NSSA). |
PAN-121319 | A fix was made to address a stack-based
buffer overflow vulnerability in the management server component
of PAN-OS (CVE-2020-1990). |
PAN-121258 | Fixed an issue where some SSLv3 session
traffic logs showed an Allow action even when the security rule
policy had a Deny action when the url-proxy setting was enabled. |
PAN-121058 | A fix was made to address a DOM-based cross
site scripting vulnerability in the PAN-OS and Panorama management
web interfaces (CVE-2020-2017). |
PAN-120726 | Fixed an issue where the firewall incorrectly
populated the username after the user had been served an Anti-Phishing
Continue Page due to credential phishing detection. |
PAN-120640 | Fixed an issue where ‘show routing bfd‘
related commands triggered a routed memory leak. |
PAN-120350 | Fixed an issue where an Address Resolution
Protocol (ARP) broadcast storm potentially overloaded the Log Processing
Card (LPC) and caused the device to reboot. |
PAN-119810 | A fix was made to address the improper restriction
of the XML external entity (XXE) vulnerability in the Palo Alto
Networks Panorama management server (CVE-2020-2012). |
PAN-119173 | (PA-5000 and PA-3000 Series only)
Fixed an issue where the passive device in a high availability (HA)
pair started processing traffic, which resulted in a packet buffer
leak. |
PAN-118957 | A fix was made to address an authentication
bypass spoofing vulnerability in the authentication daemon and User-ID
components of Palo Alto Networks PAN-OS (CVE-2020-2002). |
PAN-118075 | Fixed an issue where the BGP conditional
advertisement did not respond as expected, which caused the prefix
in the Advertise Filters (Network
> Virtual Router > BGP > Conditional Adv) to be incorrectly
advertised. |
PAN-117479 | A fix was made to address a vulnerability
with the Nginx web server included with PAN-OS (CVE-2017-7529). |
PAN-117108 | Fixed an issue on the firewalls where the
user mappings populated by the XML API were lost after rebooting. |
PAN-116842 | Fixed an issue in the firewalls where after
enabling a Cortex Data Lake license, if some connections between
the firewall and Customer Support Portal server were blocked, the
management plane memory utilization would start increasing, leading
to multiple process restarts due to an out-of-memory condition. |
PAN-115562 | Fixed an issue where superuser CLI permissions
for role-based administrators did not match superuser privileges. |
PAN-114648 | (PA-3200 Series only) Fixed an
issue where high availability (HA1) hearbeat backup connection flaps
occurred due to ping failures caused by unavailability of buffer
space when Heartbeat Backup was configured (Device
> High Availability > Election Settings). |
PAN-114236 | Java Runtime Environment (JRE) was upgraded
to 1.8.0_201. |
PAN-112899 | Fixed an issue where the content update
failed due to the appweb process periodically restarting. |
PAN-111636 | A fix was made to address OpenSSH issues (PAN-SA-2020-0002 / CVE-2018-20685, CVE-2019-6109,
and CVE-2019-6111). |
PAN-111061 | A fix was made to upgrade OpenSSH software
included with PAN-OS (PAN-SA-2020-0005 / CVE-2016-10012). |
PAN-109808 | Fixed an issue on the Panorama API where
exporting packet capture (pcap) using the XML API failed, and the
web interface displayed the following error message: session id is missing.
For Panorama, you can specify either the serial number or both the device_name and sessionid. |
PAN-109767 | Fixed an issue where high availability (HA)
sync would fail due to a large core being enabled on one peer. |
PAN-108992 | A fix was made to address an improper authorization
vulnerability in PAN-OS (CVE-2020-1998). |
PAN-108356 | Fixed an issue in Panorama where progress
stopped on a commit if there was a missing device group. |
PAN-107650 | Fixed an isolated issue that caused a process (configd)
to restart due to kernel segmentation fault errors and caused a
core file to be generated. |
PAN-106784 | Fixed an issue to simplify the code in the
web interface when changing administrator passwords. |
PAN-105880 | Fixed an issue where Panorama failed to
commit templates, including log correlation configurations, to firewalls
that do not support log correlation. Note: Correlation
is not supported on PA-200, PA-220, PA-500, PA-820, PA-850, and
PA-VM platforms. |
PAN-104701 | Fixed an issue where the dynamic update
sync to peer failed when the firewalls were in a high availability
(HA) configuration. |
PAN-103038 | A fix was made to address a predictable
temporary filename vulnerability (CVE-2020-1981). |
PAN-102839 | Fixed an issue where the IPSec tunnel size
limit set by the customer was not maintained correctly in the system. |
PAN-102674 | A fix was made to address a shell command
injection vulnerability in the PAN-OS CLI (CVE-2020-1980). |
PAN-102096 | (PA-7000 Series firewalls only)
Fixed an issue where first packet processor packet buffer is not
allocated with proper alignment, which caused memory corruption. |
PAN-100734 | A fix was made to address a buffer flow
vulnerability in the PAN-OS management interface where authenticated
users were able to crash system processes or execute arbitrary code
with root privileges (CVE-2020-2015). |
PAN-99359 | Fixed an issue where the ZIP hardware processing
engine stopped processing ZIP-related requests. |
PAN-97584 | A fix was made to address a format string
vulnerability in the PAN-OS log daemon (logd) on Panorama (CVE-2020-1979). |
PAN-95651 | (PA-3200 Series firewalls only)
Fixed an issue where incomplete core dump files were generated when
the dataplane stopped responding, which made troubleshooting difficult. |
PAN-74442 | Resolved an issue where after enabling debugs
on the dataplane, the debug logs contained information about unrelated
traffic. |