PAN-OS 8.1.13 Addressed Issues

PAN-OS® 8.1.13 addressed issues.
Issue ID
Description
PAN-136698
Fixed an issue where a process (
all_pktproc
) stopped responding and the dataplane restarted when the firewall processed a malformed GPRS tunneling protocol (GTP) packet.
PAN-135260
(
PA-7000 Series firewalls running PAN-OS 8.1.12 only
) Fixed an intermittent issue where the dataplane process (
all_pktproc_X
) on a Network Processing Card (NPC) restarted when processing IPSec tunnel traffic.
PAN-134678
(
PA-5200 Series firewalls only
) Fixed an issue where the Quad Small Form-factor Pluggable (QSFP) 28 ports 21 and 22 did not respond when plugged in with a Finisar 100G AOC cable.
PAN-133582
Fixed an issue on the firewalls where some Dynamic Address Groups pushed from Panorama were missing member IP addresses.
PAN-133440
Fixed an issue where fragmented traffic caused high dataplane use and firewall performance issues.
PAN-133436
Introduced the
clear url-cache all
CLI command to aggressively clear the dataplane URL cache.
PAN-133378
Fixed an issue in Panorama where a process (
configd
) restarted during a commit using a RADIUS super admin role.
PAN-133048
(
PA-5200 and PA-7000 Series only
) Fixed an issue where traffic was processed asymmetrically when using Internet Protocol (IP) classifiers on virtual wire (vwire) subinterfaces.
PAN-133042
(
PA-5200 and PA-7000 Series only
) Fixed an issue where certain GPRS tunneling protocol (GTP) traffic was dropped even when
gtp nodrop
was enabled.
PAN-131993
Fixed an issue where a process (
reportd
) stopped responding while running a log query.
PAN-131907
Fixed an issue where GPRS tunneling protocol (GTP) version 2 handling was unable to handle fully qualified tunnel endpoint IDs (FTEID) coming in reverse order, leading to GTP-C and GTP-U flows with incorrect IP addresses and tunnel endpoint IDs (TEIDs). This caused a GTP stateful inspection failure for further packets on the respective flows.
PAN-130773
Fixed an issue where users saw a page with a random phone number for authentication and could not proceed further in the authentication process when multi-factor authentication (MFA) was configured as the authentication portal.
PAN-130640
Fixed an issue where the management plane CPU was high due to index generation on summary logs.
PAN-130573
Fixed an issue where the software pool for Regex results was depleted and caused connection failures.
PAN-130447
Fixed an issue where offloaded traffic was dropped by the firewall every time there was an explicit commit (
Commit
on the firewall locally or
Commit All Changes
in Panorama) or an implicit commit (Antivirus update, Dynamic Update, or WildFire update, and so on) was performed on the firewall.
PAN-130345
Fixed an issue where the Panorama VM rebooted while filtering for configuration logs when the query value was not one of the predefined string results.
PAN-130290
Fixed an issue where in the web interface, traffic logs did not display the destination zone (
Monitor > Logs > Traffic > To Zone
) for multicast sessions.
PAN-130262
Fixed a rare issue where 200 OK messages were dropped during the offload of traffic for App-ID inspection.
PAN-130229
Fixed an issue on Panorama appliances where you could not change maximum transmission unit (MTU) values from the web interface and displayed the following error message:
Malformed Request
.
PAN-130069
Fixed an issue where the firewall incorrectly interpreted an external dynamic list MineMeld instability error code as an empty external dynamic list.
PAN-129658
Fixed an issue where GTP inspection stopped functioning after unrelated changes in policy and a commit followed by a high availability (HA) failover.
PAN-129518
Fixed an issue where the firewall restarted due to an out-of-memory condition caused by a leak in a process (
ikemgr
).
PAN-129490
Fixed an issue where CRL/OCSP verifications failed due to requests routing through the management interface even when service route was configured.
PAN-128908
If an admin user password was changed but no commit was performed afterward, the new password did not persist after a reboot. Instead, the admin user could still use the old password to log in, and the calculation of expiry days was incorrect based on the password change timestamp in the database.
PAN-128856
Fixed an issue where the disk usage calculation was getting corrupted and purging logs.
PAN-128717
Fixed an issue in Panorama where after switching context to a managed device, the session idle timeout was not being updated, and the web session timed out even when the administrator was actively working.
PAN-128248
A fix was made to address a vulnerability with a race condition due to an insecure creation of a file in a temporary directory in PAN-OS (CVE-2020-2016).
PAN-127087
Fixed an issue in the firewalls where a push operation (
Commit All Changes
) from Panorama failed on the passive firewall when pushing a large number of security policy additions to both firewalls in an HA pair.
PAN-126412
Fixed an issue where hardware security model (HSM) authentication from the web interface failed if the password contained an ampersand (&).
PAN-126278
Fixed an issue where a burst of VLAN-tagged packets in a congested system caused an overflow and locked up the firewall. The threshold has been increased with this fix.
PAN-126202
Fixed an issue where a process (
routed
) stopped responding when users accessed the web interface to view the OSPF interface data (
Network > Virtual Routers > More Runtime Stats > OSPF > Interface
) if OSPF MD5 was configured in the OSPF Auth profile.
PAN-126069
Fixed an issue in Panorama where logs couldn't be viewed when an additional log collector was configured in the existing log collector group.
PAN-126017
Fixed an issue where
set application dump on rule
CLI command did not accept rule names greater than 32 characters despite a stated limit of 63 characters.
PAN-125804
A fix was made to address an issue where an OS command injection vulnerability in the PAN-OS management server allowed authenticated administrators to execute arbitrary OS commands with root privileges when uploading a new certificate in FIPS-CC mode (CVE-2020-2028).
PAN-125546
Fixed an issue where a process failed to restart even when the system logs displayed the following message:
virtual memory exceeded, restarting
.
PAN-125306
Fixed an issue where a Transmission Control Protocol (TCP) connection reuse was incorrectly handled by a high availability (HA) active/active cluster with asymmetric flows.
PAN-125243
Fixed an issue where the VM-Series firewall restarted due to a deadlock condition occurring when processing QoS-enabled L7 traffic.
PAN-125194
Fixed an issue where system startup failed when the collector group was configured with an incorrect serial number of invalid length.
PAN-125122
A fix was made to address a cleartext transmission of sensitive information vulnerability in Palo Alto Networks PAN-OS and Panorama that disclosed an authenticated PAN-OS administrator's PAN-OS session cookie (CVE-2020-2013).
PAN-125032
Fixed an issue when
Minimum Password Complexity
was
Enabled
for all local administrators, the setting was also applied to plugin users. This caused API calls from plugin users to fail (
HTTP Error code 502
) because the password change was not made for the users and authentication failed.
PAN-124802
Fixed an issue where LACP connectivity issues were observed due to high CPU utilization when multiple dataplanes were used.
PAN-124621
A fix was made to address an issue where an OS command injection vulnerability in the PAN-OS web management interface allowed authenticated administrators to execute arbitrary OS commands with root privileges by sending a malicious request to generate new certificates for use in the PAN-OS configuration (CVE-2020-2029).
PAN-124495
Fixed an issue on Panorama where the task manager showed locally executed jobs but did not show tasks or jobs pushed to managed firewalls.
PAN-124428
Fixed an issue where Address Resolution Protocol (ARP) randomly failed on one of the interfaces for a firewall deployed in the KVM/GCP/ESXi clouds.
PAN-124087
Fixed an issue where GPRS tunneling protocol (GTP) v2 protocol handling was not able to handle the secondary Modify Bearer Request/Response in the GTP-C session.
PAN-123858
Fixed an issue on firewalls where a process (
useridd
) restarted while processing incorrect
ip-user
mappings that contained blank usernames from User-ID agents.
PAN-123843
Fixed an issue for Cloud/VM platforms where the tunnels between the log collectors did not come up when a public IP was used for the log collectors in an environment with a Panorama management server and two or more log collectors.
PAN-123830
Fixed an issue where the GlobalProtect™ portal used an outdated
getbootstrap
version.
PAN-123747
Fixed an issue where App-ID signatures failed to match when there were more than 12 partial App-ID matches within the same session.
PAN-123736
Fixed an issue where Create Session Request message looped internally causing continuous packet inspection and consuming firewall resources.
PAN-123391
A fix was made to address a predictable temporary file vulnerability in PAN-OS (CVE-2020-1994).
PAN-123295
Fixed an issue where the dataplane restarted due to a race condition when a configuration push and a Netflow update occurred simultaneously.
PAN-122909
Fixed an issue on the firewalls where enabling
SSL Forward Proxy
using the hardware security module (HSM) led to intermittent failure while loading random secure websites with the following message:
ERR_CERT_INVALID
. This occurred mainly with servers presenting ECDSA certificates.
PAN-122872
Fixed an issue where the Aggregate Ethernet (AE) subinterface showed a different status from the AE parent interface.
PAN-122565
Fixed an issue where a log collector with a dynamically assigned IP address could not establish communication between other log collectors.
PAN-121827
Fixed an issue where allow lists and auth profiles in multi-vsys systems would not allow a user to be identified in user groups.Users would show as
Not in allow list
because the multi-vsys (vsys1) was shown as
vsys0
.
PAN-121822
Fixed an issue with certificate authentication where only the topmost certificate was used to validate the client certificate.
PAN-121596
Fixed an issue where the OSPF protocol didn't choose the correct loopback address for the forwarding address in the Not-So-Stubby Area (NSSA).
PAN-121319
A fix was made to address a stack-based buffer overflow vulnerability in the management server component of PAN-OS (CVE-2020-1990).
PAN-121258
Fixed an issue where some SSLv3 session traffic logs showed an Allow action even when the security rule policy had a Deny action when the url-proxy setting was enabled.
PAN-121058
A fix was made to address a DOM-based cross site scripting vulnerability in the PAN-OS and Panorama management web interfaces (CVE-2020-2017).
PAN-120726
Fixed an issue where the firewall incorrectly populated the username after the user had been served an Anti-Phishing Continue Page due to credential phishing detection.
PAN-120640
Fixed an issue where ‘show routing bfd‘ related commands triggered a routed memory leak.
PAN-120350
Fixed an issue where an Address Resolution Protocol (ARP) broadcast storm potentially overloaded the Log Processing Card (LPC) and caused the device to reboot.
PAN-119810
A fix was made to address the improper restriction of the XML external entity (XXE) vulnerability in the Palo Alto Networks Panorama management server (CVE-2020-2012).
PAN-119173
(
PA-5000 and PA-3000 Series only
) Fixed an issue where the passive device in a high availability (HA) pair started processing traffic, which resulted in a packet buffer leak.
PAN-118957
A fix was made to address an authentication bypass spoofing vulnerability in the authentication daemon and User-ID components of Palo Alto Networks PAN-OS (CVE-2020-2002).
PAN-118075
Fixed an issue where the BGP conditional advertisement did not respond as expected, which caused the prefix in the
Advertise Filters
(
Network > Virtual Router > BGP > Conditional Adv
) to be incorrectly advertised.
PAN-117479
A fix was made to address a vulnerability with the Nginx web server included with PAN-OS (CVE-2017-7529).
PAN-117108
Fixed an issue on the firewalls where the user mappings populated by the XML API were lost after rebooting.
PAN-116842
Fixed an issue in the firewalls where after enabling a Cortex Data Lake license, if some connections between the firewall and Customer Support Portal server were blocked, the management plane memory utilization would start increasing, leading to multiple process restarts due to an out-of-memory condition.
PAN-115562
Fixed an issue where superuser CLI permissions for role-based administrators did not match superuser privileges.
PAN-114648
(
PA-3200 Series only
) Fixed an issue where high availability (HA1) hearbeat backup connection flaps occurred due to ping failures caused by unavailability of buffer space when
Heartbeat Backup
was configured (
Device > High Availability > Election Settings
).
PAN-114236
Java Runtime Environment (JRE) was upgraded to 1.8.0_201.
PAN-112899
Fixed an issue where the content update failed due to the
appweb
process periodically restarting.
PAN-111636
A fix was made to address OpenSSH issues (PAN-SA-2020-0002 / CVE-2018-20685, CVE-2019-6109, and CVE-2019-6111).
PAN-111061
A fix was made to upgrade OpenSSH software included with PAN-OS (PAN-SA-2020-0005 / CVE-2016-10012).
PAN-109808
Fixed an issue on the Panorama API where exporting packet capture (pcap) using the XML API failed, and the web interface displayed the following error message:
session id is missing
. For Panorama, you can specify either the serial number or both the
device_name
and
sessionid
.
PAN-109767
Fixed an issue where high availability (HA) sync would fail due to a large core being enabled on one peer.
PAN-108992
A fix was made to address an improper authorization vulnerability in PAN-OS (CVE-2020-1998).
PAN-108356
Fixed an issue in Panorama where progress stopped on a commit if there was a missing device group.
PAN-107650
Fixed an isolated issue that caused a process (
configd
) to restart due to kernel segmentation fault errors and caused a core file to be generated.
PAN-106784
Fixed an issue to simplify the code in the web interface when changing administrator passwords.
PAN-105880
Fixed an issue where Panorama failed to commit templates, including log correlation configurations, to firewalls that do not support log correlation.
Note:
Correlation is not supported on PA-200, PA-220, PA-500, PA-820, PA-850, and PA-VM platforms.
PAN-104701
Fixed an issue where the dynamic update sync to peer failed when the firewalls were in a high availability (HA) configuration.
PAN-103038
A fix was made to address a predictable temporary filename vulnerability (CVE-2020-1981).
PAN-102839
Fixed an issue where the IPSec tunnel size limit set by the customer was not maintained correctly in the system.
PAN-102674
A fix was made to address a shell command injection vulnerability in the PAN-OS CLI (CVE-2020-1980).
PAN-102096
(
PA-7000 Series firewalls only
) Fixed an issue where first packet processor packet buffer is not allocated with proper alignment, which caused memory corruption.
PAN-100734
A fix was made to address a buffer flow vulnerability in the PAN-OS management interface where authenticated users were able to crash system processes or execute arbitrary code with root privileges (CVE-2020-2015).
PAN-99359
Fixed an issue where the ZIP hardware processing engine stopped processing ZIP-related requests.
PAN-97584
A fix was made to address a format string vulnerability in the PAN-OS log daemon (
logd
) on Panorama (CVE-2020-1979).
PAN-95651
(
PA-3200 Series firewalls only
) Fixed an issue where incomplete core dump files were generated when the dataplane stopped responding, which made troubleshooting difficult.
PAN-74442
Resolved an issue where after enabling debugs on the dataplane, the debug logs contained information about unrelated traffic.

Recommended For You