PAN-OS 8.1.19 Addressed Issues

PAN-OS® 8.1.19 addressed issues.
Issue ID
Functionality was added to enable, via the CLI, the removal of key exchange algorithms used by SSH.
  • Use
    debug system ssh-kex-prune cipher [diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 .. ]
    to enable removal of specified key exchanges.
  • Use
    debug system ssh-kex-prune none
    to enable addition of key exchanges.
Fixed an issue where the firewall rejected SAML Assertions, which caused user authentication failure when the
Validate Identity Provider Certificate
was enabled in the SAML Server Profile in vsys3 or above.
Fixed an issue with HTTP Header Insertion where the payload was truncated when processing a segmented TCP stream and when the client retransmitted the packet with the same sequence number that was previously received segmented.
Adds additional debugging to be used in identifying the malformed references causing process crashes during FQDN refresh.
Fixed an issue where the firewall returned the following error message when attempting to request a device certificate using a one-time password (OTP):
invalid ocsp response sig-alg
A fix was made to address an issue where a cryptographically weak pseudo-random number (PRNG) was used during authentication to the PAN-OS interface. As a result, attackers with the capability to observe their own authentication secrets over a long duration on the firewall had the ability to impersonate another authenticated web interface administrator’s session (CVE-2021-3047).
Fixed an issue on the firewall where executing the
request system bootstrap-usb prepare
CLI command returned a server error.
A fix was made to address a vulnerability related to information exposure through log files in PAN-OS where secrets in PAN-OS XML API requests were logged in cleartext in the web server logs when the API was used incorrectly (CVE-2021-3036).
Fixed a rare issue where TCP packets randomly dropped due to reassembly failure.
Fixed an issue where multiple all_pktproc processes stopped responding, which caused the dataplane to restart.
Fixed an issue where the Policy Optimizer for some device groups showed incorrect data with a
character in the rule usage column.
Fixed an issue on firewalls with high availability active/active configurations where GlobalProtect gateways timed out on-demand connections. This occurred because the
Inactivity Logout
timer did not reset.
Fixed an issue where, when deploying a VM-Series firewall on VMware NSX that had been assigned a serial number that was used by a previously deactivated firewall, the new firewall was deployed in a deactivated or partially deactivated state.
Fixed an issue with SMTP that occurred when attachment file names were longer than the allocated buffer. If the file name was longer than the buffer and Layer 7 inspection was enabled, the file was dropped, which caused session errors and an email to not be sent.
PA-7000 Series firewalls only
) Fixed an issue where Network Processing Cards (NPC) took longer than expected or failed to boot.
A fix was made to address an issue where an improper authentication vulnerability enabled a Security Assertion Markup Language (SAML) authenticated user to impersonate any user in the GlobalProtect portal and GlobalProtect gateway when they were configured to use SAML authentication (CVE-2021-3046).
Fixed an issue where firewalls stopped refreshing IP tag information when configured with the
VM Information Sources
feature with a VMWare vCenter Server.
Fixed an issue where, when an ECMP route changed, the flow table in the offload engine was not updated.
Checks were added to help prevent the dataplane from restarting.
A fix was made to address an issue where an OS command argument injection vulnerability in the PAN-OS web interface enabled an authenticated administrator to read any arbitrary file from the file system (CVE-2021-3045).
jQuery was updated to 3.5.1.
Improved QoS scheduling for Bidirectional Forwarding Detection (BFD) and BGP to address the internal handling of BGP and BFD packets under high resource constraints
Fixed an issue where the
on the
file did not work as expected, which led to entries in
not being uniquely identified.
Fixed an intermittent issue where a high traffic load in a Layer 2 deployment caused SNMP and Panorama health monitoring failures.
Fixed an issue wherer DNS proxy TCP connections were processed incorrectly, which caused a process (
) to stop responding.
Fixed an issue where the High Speed Chassis Interconnect (HSCI) port flapped continuously after an upgrade or reboot.
Fixed an issue on Panorama appliances in an active/passive HA configuration where a managed firewall generated high priority alerts that it failed to connect to the passive Panorama appliance's User-ID agent server. This issue occurred because the firewall was only able to connect to one Panorama User-ID server at a time, and it connected only to the active Panorama appliance's User-ID server.
A fix was made to address a vulnerability related to information exposure through log files in PAN-OS where the connection details for a scheduled configuration export were logged in system logs (CVE-2021-3037).
Fixed an issue where the dynamic address group failed due to a process (devsrvr) not being synced with another process (useridd).
Fixed an issue where a process (all_task_3) restarted, which caused the tunnels to reset.

Recommended For You