PAN-OS 8.1.17 Addressed Issues

PAN-OS® 8.1.17 addressed issues.
Issue ID
Description
A security issue has been fixed (CVE-2021-3064).
PAN-154181
Fixed an issue where, on Panorama, context switching to the web interface of a managed firewall running PAN-OS 8.1.16 did not work.
PAN-153813
Fixed an issue where the proxy configuration did not get honored, which caused certificate revocation list (CRL) checks to fail from the firewall.
PAN-152285
Fixed an issue where certain GPRS tunneling protocol (GTP-U) sessions that could not complete installation still occupied the flow table, which led to higher session table usage.
PAN-152106
Fixed an issue where the management plane CPU usage remained high for a longer period of time than expected due to a process (genindex.sh).
PAN-151405
Fixed an issue where administrators were unable to export Security Assertion Markup Language (SAML) metadata files from virtual system (vsys) specific authentication profiles.
PAN-151203
Fixed an issue where the firewall dropped certain GTPv1 Update PDP Context packets.
PAN-151057
Fixed an issue where upgrading the capacity license on a virtual machine (VM) high availability (HA) pair resulted in both firewalls going into a non-functional state instead of only the higher capacity license firewall.
PAN-150750
(
PA-5200 Series firewalls only
) Fixed an intermittent issue where the firewall dropped packets when two or more GTP packets on the same GTP tunnel were very close to each other.
PAN-150748
Fixed an issue where the firewall silently dropped GTPv2-C Delete Session Response packets.
PAN-150746
Fixed an issue where the firewall dropped GTP packets with Delete Bearer messages for EBI 6 if they were received within two seconds of receiving the Delete Bearer messages for EBI 5.
PAN-150613
Fixed an issue that caused a process (mprelay) to stop responding when committing changes in the Netflow Server Profile configuration (
Device > Server Profiles > Netflow
).
PAN-149912
Fixed an issue where FIB entries were removed incorrectly due to miscommunication between internal processes.
PAN-149839
(
PA-7000 Series firewalls only
) Added CLI commands to enable/disable resource-control groups and CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr). To enable resource-control groups,
use debug software resource-control enable
and to disable them, use
debug software resource-control disable
. To set the memory limit, use
debug management-server limit-memory enable
, and to remove the limit, use
debug management-server limit-memory disable
. For the memory limit change to take effect, the firewall must be rebooted.
PAN-147996
(
PA-7000b Series firewalls only
) Fixed a buffer overflow issue.
PAN-147741
Fixed an issue where an API call for correlated events did not return any events.
PAN-147595
Fixed an issue where, after a policy commit and session rematch, stream control transmission protocol (SCTP) logs for an existing SCTP session still showed old rule information.
PAN-147305
Fixed an issue where a process (useridd) stopped responding to requests.
PAN-146650
A fix was made to address an authentication bypass vulnerability in the GlobalProtect SSL VPN component of PAN-OS that allowed an attacker to bypass all client certificate checks with an invalid certificate. As a result, the attacker was able to authenticate as any user and gain access to restricted VPN network resources when the gateway or portal was configured to rely only on certificate-based authentication (CVE-2020-2050).
PAN-146506
Fixed an issue where memory usage on a process (useridd) was high, which caused the process to restart on the firewall acting as the User-ID redistribution agent. This issue occurred when multiple clients requested IP address-to-user mappings at the same time.
PAN-146284
Fixed an issue where Application and Threat Content installation failed on the firewall with the following error message:
Error: Threat database handler failed
.
PAN-145823
Fixed an issue where BGP learned routes were incorrectly populated with a VR error as a next hop.
PAN-145133
A fix was made to address a vulnerability in the PAN-OS signature-based threat detection engine that allowed an attacker to evade threat prevention signatures using specifically crafted TCP packets (CVE-2020-1999).
PAN-144919
Fixed an issue on an M-600 appliance where the Panorama management server stopped receiving new logs from firewalls because delayed log purging caused log storage on the Log Collectors to reach maximum capacity.
PAN-144448
Fixed an issue with the automated correlation engine that caused firewalls to stop generating correlated event logs for the
beacon-heuristics
object (ID 6005).
PAN-143959
Fixed an issue on Panorama where a custom administrator with all rights enabled was not able to display the content of the external dynamic list (EDL) on the Panorama web interface.
PAN-143809
Fixed an issue where Log Collectors had problems ingesting logs for older days received at a high rate.
PAN-143241
Fixed an issue where the firewall unexpectedly stopped processing traffic to due a buffer allocation failure under the QOS-based buffer allocation method.
PAN-141551
Fixed an issue where SSH service restart management did not take effect in the SSH management server profile.
PAN-140883
Fixed an issue where, after rebooting the firewall, the SNMP object identifier (OID) for TCP connections per second (panVsysActiveTcpCps / .1.3.6.1.4.1.25461.2.1.2.3.9.1.6.1) returned 0 until another OID was pulled. Additionally, after a restart of a daemon (snmpd), if the above OID was called before other OIDs, there was an approximate 10 second delay in populating the data pulled by each OID.
PAN-140382
Fixed an issue where the Host Evasion Threat ID signature did not trigger for the initial session even after the DNS response was received before the session expired.
PAN-140375
Fixed an issue where a process (logrcvr) exited due to a race condition.
PAN-140227
(
PA-7000 Series firewalls only
) Fixed a rare issue where the firewall rebooted due to path monitoring failure on the Log Processing Card (LPC).
PAN-140157
A fix was made to address a vulnerability where the password for a configured system proxy server for a PAN-OS appliance was displayed in cleartext when using the CLI in PAN-OS (CVE-2020-2048).
PAN-139991
Fixed an issue where the web interface and the CLI were inaccessible, which caused the following error message to display on the web interface:
Timed out while getting config lock
.
PAN-139680
Fixed an issue where dynamic route updates triggered an unintentional refresh of the DHCP client interface IP address, which led to the removal and re-addition of the default route associated with the DHCP client IP address and caused traffic disruption.
PAN-139365
(
PA-7000 Series firewalls only
) Enhanced latency-sensitive protocols processing. With this fix, the following latency-sensitive control traffic will be prioritized: BGP, Bidirectional Forwarding Detection (BFD), LACP, OSPF, OSPFv3, Protocol Independent Multicast (PIM), and Internet Group Management Protocol (IGMP).
PAN-139233
Fixed an issue where host information profile (HIP) reports failed to show up via the web interface or the CLI.
PAN-139136
Fixed an issue where a large number of groups in group mappings caused a process (useridd) to exit.
PAN-138938
Added an enhancement to reduce the memory usage of a process (logrcvr) to avoid out-of-memory (OOM) conditions on lower-end platforms.
PAN-138573
Fixed an issue where the keyword
[Disabled]
was missing from the disabled policies exported in CSV/PDF format.
PAN-137741
Fixed an issue where the data for a botnet report was deleted before the botnet report was completed.
PAN-137656
Fixed an issue where the
show config diff
CLI command did not work correctly and produced unexpected output.
PAN-135540
(
PA-3220 firewalls only
) Fixed an issue where the firewall generated some core files when generating tech support files
PAN-135354
Fixed an issue where the paths between the control plane and the dataplanes in network processing cards (NPCs) stalled in the dataplane-to-control plane direction due to the Ring Descriptor entries becoming out of sync on each side. This produced unrecoverable data path monitoring failures, which caused the chassis to become nonfunctional.
PAN-134226
Fixed an issue where
AdminStatus
for HA1 and High Speed Chassis Interconnect (HSCI) interfaces were incorrectly reported.
PAN-133934
Fixed an intermittent issue where user-to-IP address mappings were not redistributed to client firewalls.
PAN-133388
Fixed an issue where an HA configuration went out of sync when the HA sync job was queued and processed during an ongoing content installation job on the passive firewall.
PAN-130955
Fixed an issue where templates on the secondary Panorama appliance were out of sync with the primary Panorama appliance due to an empty content-preview node.
PAN-130357
Fixed a memory leak issue where virtual memory used by the SNMP process started to slowly increase when the request was sent with a
request-id
of 0.
PAN-129376
(
PA-800 Series firewalls only
) Fixed an issue that prevented ports 9-12 from being powered down by hardware after being requested to do so.
PAN-128172
Fixed an issue on Panorama where the
show system logdb-quota
CLI command took more time than expected, which caused the configuration lock to time out.
PAN-128048
Fixed an issue where certificate-based authentication with IKEv2 IPSec tunnels failed to establish with some third-party vendors.
PAN-127318
Fixed an issue where the firewall intermittently dropped DNS A or AAAA queries received over IPSec tunnels due to a session installation failure.
PAN-125218
A fix was made to address an information exposure vulnerability in Panorama that disclosed the token for the Panorama web interface administrator's session to a managed device when the Panorama administrator performed a context switch (CVE-2020-2022).
PAN-124916
Added two ciphers for GlobalProtect Portal TLS connections.
PAN-124331
Fixed an issue where the LDAP query took longer than expected to populate in the web interface.
PAN-122672
Fixed an issue where the firewall returned incorrect information about the logging service status when the information was requested through the web interface.
PAN-121944
Fixed an issue where the
Device Connectivity
status was grey on the firewall web interface even when the SSL session to the logging service was successful.
PAN-121483
Fixed an issue where Data Filtering profiles did not generate a packet capture (pcap) for Server Message Block (SMB) when action was set to Alert.
PAN-120245
Fixed an issue on Panorama where WildFire cloud content download failed for content deployment to the WF-500 appliance.
PAN-109877
Fixed an issue where BGP flapped continuously with Jumbo Frames enabled on the firewall.
PAN-104254
Fixed a rare issue where a dataplane process stopped responding.
PAN-100254
Fixed an issue where an incorrect subnet mask was displayed for redistributed routes in the
show routing protocol redist all
CLI command.
PAN-96528
A fix was made to address a memory corruption vulnerability in the GlobalProtect portal and GlobalProtect gateway that enabled an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges (CVE-2021-3064).
PAN-96187
Fixed an issue where Panorama did not set the preference list on a firewall for a Log Collector that was configured through the CLI.

Recommended For You