PAN-OS 8.1.17 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 8.1.17 Addressed Issues
PAN-OS® 8.1.17 addressed issues.
Issue ID | Description |
---|---|
— | A security issue has been fixed (CVE-2021-3064). |
PAN-154181 | Fixed an issue where, on Panorama, context
switching to the web interface of a managed firewall running PAN-OS
8.1.16 did not work. |
PAN-153813 | Fixed an issue where the proxy configuration
did not get honored, which caused certificate revocation list (CRL)
checks to fail from the firewall. |
PAN-152285 | Fixed an issue where certain GPRS tunneling
protocol (GTP-U) sessions that could not complete installation still
occupied the flow table, which led to higher session table usage. |
PAN-152106 | Fixed an issue where the management plane
CPU usage remained high for a longer period of time than expected
due to a process (genindex.sh). |
PAN-151405 | Fixed an issue where administrators were
unable to export Security Assertion Markup Language (SAML) metadata
files from virtual system (vsys) specific authentication profiles. |
PAN-151203 | Fixed an issue where the firewall dropped
certain GTPv1 Update PDP Context packets. |
PAN-151057 | Fixed an issue where upgrading the capacity
license on a virtual machine (VM) high availability (HA) pair resulted
in both firewalls going into a non-functional state instead of only
the higher capacity license firewall. |
PAN-150750 | (PA-5200 Series firewalls only)
Fixed an intermittent issue where the firewall dropped packets when
two or more GTP packets on the same GTP tunnel were very close to
each other. |
PAN-150748 | Fixed an issue where the firewall silently
dropped GTPv2-C Delete Session Response packets. |
PAN-150746 | Fixed an issue where the firewall dropped
GTP packets with Delete Bearer messages for EBI 6 if they were received
within two seconds of receiving the Delete Bearer messages for EBI
5. |
PAN-150613 | Fixed an issue that caused a process (mprelay) to
stop responding when committing changes in the Netflow Server Profile
configuration (Device > Server Profiles > Netflow). |
PAN-149912 | Fixed an issue where FIB entries were removed
incorrectly due to miscommunication between internal processes. |
PAN-149839 | (PA-7000 Series firewalls only)
Added CLI commands to enable/disable resource-control groups and
CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr).
To enable resource-control groups, use debug software resource-control enable and
to disable them, use debug software resource-control disable.
To set the memory limit, use debug management-server limit-memory enable,
and to remove the limit, use debug management-server limit-memory disable.
For the memory limit change to take effect, the firewall must be
rebooted. |
PAN-147996 | (PA-7000b Series firewalls only)
Fixed a buffer overflow issue. |
PAN-147741 | Fixed an issue where an API call for correlated
events did not return any events. |
PAN-147595 | Fixed an issue where, after a policy commit
and session rematch, stream control transmission protocol (SCTP)
logs for an existing SCTP session still showed old rule information. |
PAN-147305 | Fixed an issue where a process (useridd) stopped
responding to requests. |
PAN-146650 | A fix was made to address an authentication
bypass vulnerability in the GlobalProtect SSL VPN component of PAN-OS
that allowed an attacker to bypass all client certificate checks
with an invalid certificate. As a result, the attacker was able
to authenticate as any user and gain access to restricted VPN network
resources when the gateway or portal was configured to rely only
on certificate-based authentication (CVE-2020-2050). |
PAN-146506 | Fixed an issue where memory usage on a process (useridd)
was high, which caused the process to restart on the firewall acting
as the User-ID redistribution agent. This issue occurred when multiple
clients requested IP address-to-user mappings at the same time. |
PAN-146284 | Fixed an issue where Application and Threat
Content installation failed on the firewall with the following error
message: Error: Threat database handler failed. |
PAN-145823 | Fixed an issue where BGP learned routes
were incorrectly populated with a VR error as a next hop. |
PAN-145133 | A fix was made to address a vulnerability
in the PAN-OS signature-based threat detection engine that allowed
an attacker to evade threat prevention signatures using specifically
crafted TCP packets (CVE-2020-1999). |
PAN-144919 | Fixed an issue on an M-600 appliance where
the Panorama management server stopped receiving new logs from firewalls
because delayed log purging caused log storage on the Log Collectors
to reach maximum capacity. |
PAN-144448 | Fixed an issue with the automated correlation
engine that caused firewalls to stop generating correlated event
logs for the beacon-heuristics object
(ID 6005). |
PAN-143959 | Fixed an issue on Panorama where a custom
administrator with all rights enabled was not able to display the
content of the external dynamic list (EDL) on the Panorama web interface. |
PAN-143809 | Fixed an issue where Log Collectors had
problems ingesting logs for older days received at a high rate. |
PAN-143241 | Fixed an issue where the firewall unexpectedly
stopped processing traffic to due a buffer allocation failure under
the QOS-based buffer allocation method. |
PAN-141551 | Fixed an issue where SSH service restart
management did not take effect in the SSH management server profile. |
PAN-140883 | Fixed an issue where, after rebooting the
firewall, the SNMP object identifier (OID) for TCP connections per
second (panVsysActiveTcpCps / .1.3.6.1.4.1.25461.2.1.2.3.9.1.6.1)
returned 0 until another OID was pulled. Additionally, after a restart
of a daemon (snmpd), if the above OID was called before
other OIDs, there was an approximate 10 second delay in populating
the data pulled by each OID. |
PAN-140382 | Fixed an issue where the Host Evasion Threat
ID signature did not trigger for the initial session even after
the DNS response was received before the session expired. |
PAN-140375 | Fixed an issue where a process (logrcvr)
exited due to a race condition. |
PAN-140227 | (PA-7000 Series firewalls only)
Fixed a rare issue where the firewall rebooted due to path monitoring
failure on the Log Processing Card (LPC). |
PAN-140157 | A fix was made to address a vulnerability
where the password for a configured system proxy server for a PAN-OS
appliance was displayed in cleartext when using the CLI in PAN-OS (CVE-2020-2048). |
PAN-139991 | Fixed an issue where the web interface and
the CLI were inaccessible, which caused the following error message
to display on the web interface: Timed out while getting config lock. |
PAN-139680 | Fixed an issue where dynamic route updates
triggered an unintentional refresh of the DHCP client interface
IP address, which led to the removal and re-addition of the default
route associated with the DHCP client IP address and caused traffic
disruption. |
PAN-139365 | (PA-7000 Series firewalls only)
Enhanced latency-sensitive protocols processing. With this fix,
the following latency-sensitive control traffic will be prioritized:
BGP, Bidirectional Forwarding Detection (BFD), LACP, OSPF, OSPFv3,
Protocol Independent Multicast (PIM), and Internet Group Management
Protocol (IGMP). |
PAN-139233 | Fixed an issue where host information profile
(HIP) reports failed to show up via the web interface or the CLI. |
PAN-139136 | Fixed an issue where a large number of groups
in group mappings caused a process (useridd) to exit. |
PAN-138938 | Added an enhancement to reduce the memory
usage of a process (logrcvr) to avoid out-of-memory
(OOM) conditions on lower-end platforms. |
PAN-138573 | Fixed an issue where the keyword [Disabled] was
missing from the disabled policies exported in CSV/PDF format. |
PAN-137741 | Fixed an issue where the data for a botnet
report was deleted before the botnet report was completed. |
PAN-137656 | Fixed an issue where the show config diff CLI
command did not work correctly and produced unexpected output. |
PAN-135540 | (PA-3220 firewalls only) Fixed
an issue where the firewall generated some core files when generating
tech support files |
PAN-135354 | Fixed an issue where the paths between the
control plane and the dataplanes in network processing cards (NPCs)
stalled in the dataplane-to-control plane direction due to the Ring
Descriptor entries becoming out of sync on each side. This produced
unrecoverable data path monitoring failures, which caused the chassis
to become nonfunctional. |
PAN-134226 | Fixed an issue where AdminStatus for HA1
and High Speed Chassis Interconnect (HSCI) interfaces were incorrectly
reported. |
PAN-133934 | Fixed an intermittent issue where user-to-IP
address mappings were not redistributed to client firewalls. |
PAN-133388 | Fixed an issue where an HA configuration
went out of sync when the HA sync job was queued and processed during
an ongoing content installation job on the passive firewall. |
PAN-130955 | Fixed an issue where templates on the secondary
Panorama appliance were out of sync with the primary Panorama appliance
due to an empty content-preview node. |
PAN-130357 | Fixed a memory leak issue where virtual
memory used by the SNMP process started to slowly increase when
the request was sent with a request-id of
0. |
PAN-129376 | (PA-800 Series firewalls only)
Fixed an issue that prevented ports 9-12 from being powered down
by hardware after being requested to do so. |
PAN-128172 | Fixed an issue on Panorama where the show system logdb-quota CLI
command took more time than expected, which caused the configuration
lock to time out. |
PAN-128048 | Fixed an issue where certificate-based authentication
with IKEv2 IPSec tunnels failed to establish with some third-party
vendors. |
PAN-127318 | Fixed an issue where the firewall intermittently
dropped DNS A or AAAA queries received over IPSec tunnels due to
a session installation failure. |
PAN-125218 | A fix was made to address an information
exposure vulnerability in Panorama that disclosed the token for
the Panorama web interface administrator's session to a managed
device when the Panorama administrator performed a context switch (CVE-2020-2022). |
PAN-124916 | Added two ciphers for GlobalProtect Portal
TLS connections. |
PAN-124331 | Fixed an issue where the LDAP query took
longer than expected to populate in the web interface. |
PAN-122672 | Fixed an issue where the firewall returned
incorrect information about the logging service status when the
information was requested through the web interface. |
PAN-121944 | Fixed an issue where the Device Connectivity status
was grey on the firewall web interface even when the SSL session
to the logging service was successful. |
PAN-121483 | Fixed an issue where Data Filtering profiles
did not generate a packet capture (pcap) for Server Message Block
(SMB) when action was set to Alert. |
PAN-120245 | Fixed an issue on Panorama where WildFire
cloud content download failed for content deployment to the WF-500
appliance. |
PAN-109877 | Fixed an issue where BGP flapped continuously
with Jumbo Frames enabled on the firewall. |
PAN-104254 | Fixed a rare issue where a dataplane process
stopped responding. |
PAN-100254 | Fixed an issue where an incorrect subnet
mask was displayed for redistributed routes in the show routing protocol redist all CLI
command. |
PAN-96528 | A fix was made to address a memory corruption
vulnerability in the GlobalProtect portal and GlobalProtect gateway
that enabled an unauthenticated network-based attacker to disrupt
system processes and potentially execute arbitrary code with root
privileges (CVE-2021-3064). |
PAN-96187 | Fixed an issue where Panorama did not set
the preference list on a firewall for a Log Collector that was configured
through the CLI. |