PAN-OS 8.1.2 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 8.1.2 Addressed Issues
PAN-OS® 8.1.2 addressed issues
Issue ID | Description |
---|---|
WF500-4625 | Fixed an issue where the WF-500 appliance
provided no option to configure the master key. With this fix, you
can use the request master-key new-master-key <key> lifetime <lifetime> CLI
command to configure the master key. |
PAN-97531 | Fixed an issue on PA-3200 Series firewalls
where powering down a copper interface disrupted the operations
of other interfaces that were grouped with it at the hardware level. |
PAN-97283 | Fixed an issue on PA-3200 Series firewalls
where SFP/SFP+ ports intermittently failed to come up after a reboot. |
PAN-97003 | Fixed an issue on offline VM-Series firewalls
where the web interface and CLI did not display license information
after you activated licenses. |
PAN-96938 | Fixed an issue with dataplane restarts when
the mix of network traffic included a high ratio of RTP and RTP
Control Protocol (RTCP) traffic. |
PAN-96734 | Fixed an issue where a process (configd)
stopped responding during a partial revert operation when reverting
an interface configuration. |
PAN-96622 | Fixed an issue where the GlobalProtect™
portal landing page did not return the HTTP Strict Transport Security
(HSTS) header in the error response page when sending the response
to an endpoint. |
PAN-96587 | Fixed an issue where PA-7000 Series and
PA-5200 Series firewalls intermittently failed to forward logs to
Log Collectors or the Logging Service due to DNS resolution failure
for the FQDNs of those log receivers. |
PAN-96572 | Fixed an issue where, after end users successfully
authenticated for access to a service or application, their web
browsers briefly displayed a page indicating authentication completed
and then they were redirected to an unknown URL that the user did
not specify. |
PAN-96490 | Fixed an issue where syslog servers misrepresented
HIP Match, Authentication, and User-ID™ logs received from the firewall
because the order changed in the first seven syslog fields for those
log types. With this fix, the first seven syslog fields are the
same for all log types. |
PAN-96102 | Fixed an issue on the Panorama™ management
server where partial revert operations failed with the following
error after you used the PAN-OS® XML API to create template stacks: template-stack-> is missing 'settings' template-stack is invalid. |
PAN-96088 | Fixed an issue where the active firewall
in a high availability (HA) configuration did not synchronize the
GlobalProtect data file to the passive firewall. |
PAN-95895 | Fixed an issue on firewalls that collect
port-to-username mappings from Terminal Services agents where the
firewalls didn't enforce user-based policies correctly because the
dataplane had incorrect primary-to-alternative-username mappings
even after you cleared the User-ID cache. |
PAN-95736 | Fixed an issue where the mprelay process stopped
responding when a commit occurred while the firewall was identifying
flows that needed a NetFlow update. |
PAN-95683 | Fixed an issue where, after you upgraded
the firewall to PAN-OS 8.1, a 500 Internal Server error occurred
for traffic that matched a Security policy rule with a URL Filtering profile
that specified a continue action (ObjectsSecurity ProfilesURL Filtering) because the
firewall did not correctly apply AES encryption or synchronize the
associated API key between the management plane and dataplane. |
PAN-95513 | Fixed an issue on the Panorama management
server where selecting additional target firewalls for a shared
policy rule cleared any existing firewall selections for that rule (PanoramaPolicies<policy_type>{Pre
Rules | Post Rules | Default Rules}Target). |
PAN-95486 | Fixed an issue with VM-Series firewalls
on Azure where dynamic updates failed for the GlobalProtect Data
File when you scheduled the updates using the management interface. |
PAN-95445 This fix requires
the VMware NSX 2.0.4 or a later plugin. | Fixed an issue where VM-Series firewalls
for NSX and firewalls in an NSX notify group (PanoramaVMware NSXNotify Group)
briefly dropped traffic while receiving dynamic address updates
after the primary Panorama in a high availability (HA) configuration
failed over. |
PAN-95443 | Fixed an issue where a VM-Series firewall
on KVM in DPDK mode didn't receive traffic after you configured
it to use the i40e single-root input/output virtualization (SR-IOV)
virtual function (VF). This fix requires that you install i40e driver
version 2.1.16 or later, and that you set the VF to be trusted by
running the following CLI command on the KVM host: ip link set dev eth0 vf 1 trust on |
PAN-95197 | Fixed an issue where mobile endpoints that
used GPRS Tunneling Protocol (GTP) lost traffic and had to reconnect
because the firewall dropped the response message that a Gateway
GPRS support node (GGSN) sent for a second Packet Data Protocol
(PDP) context update. |
PAN-95163 | Fixed an issue where, after you added group
mapping configurations, an out-of-memory condition developed that
intermittently caused the User-ID process (useridd)
to restart and temporarily prevented the firewall from receiving
updates to user mappings and group mappings. |
PAN-95130 | Fixed an issue on the firewall and Panorama management server where you could not assign tags that contained a colon ( : ) to service or service group objects. |
PAN-95124 | Fixed an issue where the firewall did not
correctly modify the Configuration XML file (by removing ctd skip-block-http-range)
when you upgraded from PAN-OS 8.0 to PAN-OS 8.1. |
PAN-95056 | Fixed an issue on the Panorama management
server where the configd process restarted when an
external health monitoring script (such as GoldenGate) executed
against Panorama, which became unusable until configd finished restarting. |
PAN-94917 | Fixed an issue on Panorama Log Collectors
where the show system masterkey-properties CLI command
did not display the master key lifetime and reminder settings. |
PAN-94912 | Fixed an issue where PA-5200 Series and
PA-3200 Series firewalls in an active/active high availability (HA)
configuration sent packets in the wrong direction in a virtual wire
deployment. |
PAN-94853 | Fixed an issue where mobile endpoints that
use GPRS Tunneling Protocol (GTP) lose GTP-U traffic because the
firewall dropped all GTP-U packets as packets without sessions after
receiving two GTP requests with the same tunnel endpoint identifiers
(TEIDs) and IP addresses. |
PAN-94697 | Fixed an issue where commit failures occurred
after you configured a DHCP-enabled subinterface as the local Interface
for an IKE gateway configuration (NetworkNetwork ProfilesIKE Gateways<IKE_gateway>General). |
PAN-94586 | Fixed an issue where the Panorama management
server exported reports slowly or not at all due to DNS resolution
failures. |
PAN-94582 | Fixed an issue where the firewall did not
correctly re-learn a User-ID mapping after that mapping was temporarily
lost and recovered through successful WMI probing. |
PAN-94578 | Fixed an issue where WildFire submissions
with a filename that contained %20n or a subject
that contained %n caused the management server (mgmtsrvr)
process to stop responding. |
PAN-94575 | Fixed an issue where a Panorama management
server running PAN-OS 8.1 failed to push host information profile
(HIP) objects that specified Encrypted Locations with State values
to firewalls running PAN-OS 8.0 or an earlier release (ObjectsGlobalProtectHIP Objects<HIP_object>Disk EncryptionCriteria<encrypted_location>). |
PAN-94516 | Fixed an issue on PA-500, PA-220, PA-220-R,
and PA-200 firewalls where commits failed after the Panorama management
server pushed a Decryption profile that you configured to Block
sessions if HSM not available to firewalls that did
not support a hardware security module (HSM). |
PAN-94510 | Fixed an issue where the total log storage
utilization that the firewall displayed did not account for IP
Tag storage that was set to less than two per cent (DeviceSetupManagementLogging and Reporting SettingsLog Storage). |
PAN-94450 | Fixed an issue where QSFP+ interfaces (13
and 14) on a PA-7000-20GQ-NPC Network Processing Card (NPC) unexpectedly
flapped when the card was booting up. |
PAN-94413 | Fixed an issue on Panorama M-Series and
virtual appliances where the hash of the shared policy was incorrectly
calculated, which caused an in-sync shared policy status to display
as out-of-sync. |
PAN-94382 | Fixed an issue on the Panorama management
server where the Task Manager displayed Completed status
immediately after you initiated a push operation to firewalls (Commit
all job) even though the push operation was still in
progress. |
PAN-94318 | Fixed an issue where the VM-Series firewall
for Azure intermittently failed to resolve URLs and generated the
following error because Azure prematurely timed out the connection
to the PAN-DB cloud after four minutes: Failed tosend Update Request to the Cloud. |
PAN-94278 | Fixed an issue where a Panorama Collector
Group forwarded Threat and WildFire® Submission logs to the wrong
external server after you configured match list profiles with the
same name for both log types (PanoramaCollector Groups<Collector_Group>Collector Log Forwarding{Threat
| WildFire}<match_list_profile>). |
PAN-94239 | Fixed an issue where the firewall routed
Open Shortest Path First (OSPF) unicast hello messages (P2MP non-broadcast)
using a forwarding information base (FIB) instead of sending the
messages over the interface to which the OSPF neighbor connected. |
PAN-94187 | Fixed an issue where the firewall did not
apply tag-based matching rules for dynamic address groups unless
you enclosed the tag names with single quotes ('<tag_name>')
in the matching rules (ObjectsAddress Groups<address_group>). |
PAN-94167 | Fixed an issue where a firewall forwarded
a deleted or expired IP address-to-username mapping to another firewall
through User-ID Redistribution but the receiving firewall still
displayed the mapping as an active IP address-to-username mapping. |
PAN-94165 | Fixed an issue where the firewall used an
incorrect next hop in the Border Gateway Protocol (BGP) route that
it advertised to External BGP (eBGP) peers in the BGP peer group. |
PAN-94163 | Fixed an issue on firewalls deployed in
virtual wire mode where SSL decryption failed due to a memory pool
allocation failure. |
PAN-94122 | Fixed an issue where firewalls intermittently
blocked SSL traffic due to a certificate timeout error after you
enabled SSL Forward Proxy decryption and configured the firewall
to Block sessions on certificate status check timeout (ObjectsDecryptionDecryption Profile<Decryption_profile>SSL DecryptionSSL Forward Proxy). |
PAN-94070 | Fixed an issue where Bidirectional Forwarding
Detection (BFD) sessions were active in only one virtual router
when two or more virtual routers had active BGP sessions (with BFD
enabled) using the same peer IP address. |
PAN-94058 | (GlobalProtect configurations only)
Fixed an issue where a configured Layer 3 interface erroneously
opened ports 28869/tcp and 28870/tcp on the IP address assigned
to that Layer 3 interface. |
PAN-94023 | Fixed an issue where the request system external-list show type ip name <EDL_name> CLI
command did not display external dynamic list entries after you
restarted the management server (mgmtsrvr) process. |
PAN-93937 | Fixed an issue where the management server (mgmtsrvr)
process on the firewall restarted when you pushed configurations
from the Panorama management server. |
PAN-93889 | Fixed an issue where the Panorama management
server generated high-severity System logs with the Syslogconnection established to server message
after you configured Traps log ingestion (PanoramaLog Ingestion Profile) for
forwarding to a syslog server (PanoramaServer ProfilesSyslog)
and committed configuration changes (CommitCommit to Panorama). |
PAN-93755 | Fixed an issue where SSL decrypted traffic
failed after you configured the firewall to Enforce Symmetric Return in
Policy Based Forwarding (PBF) policy rules (PoliciesPolicy Based Forwarding). |
PAN-93722 | Fixed an issue where the firewall failed
to perform decryption because endpoints tried to resume decrypted
inbound perfect forward secrecy (PFS) sessions. |
PAN-93715 | In certain customer environments, enhancements
in PAN-OS 8.1.2 to change fan speeds may help reduce rare cases
of drive communication failure in PA-5200 Series firewalls. |
PAN-93705 | Fixed an issue where configuring additional
interfaces (such as ethernet1/1 or ethernet1/2) on the Panorama
management server in Management Only mode caused an attempt to create
a local Log Collector when you committed the configuration (PanoramaSetupInterfaces),
which caused the commit to fail because a local Log Collector is
not supported on a Panorama management sever in Management Only
mode. |
PAN-93522 | Fixed an issue on firewalls in a high availability
(HA) configuration where traffic was disrupted because the dataplane
restarted unexpectedly when the firewall concurrently processed
HA messages and packets for the same session. This issue occurred
on all firewall models except the PA-200 and VM-50 firewalls. |
PAN-93412 | Fixed an issue where the Security policy
rules pushed from Panorama to a firewall did not display in the
list of available rules in the global filters list in the Application
Command Center (ACC). |
PAN-93411 | Fixed an issue on VM-Series firewalls for
KVM where applications that relied on multicasting failed because
the firewalls filtered multicast traffic by the physical function
(PF) after you configured them to use single root I/O virtualization
(SR-IOV) virtual function (VF) devices. |
PAN-93410 | Fixed an issue where PA-5200 Series firewalls
sent logs to the passive or suspended Panorama virtual appliance
in Legacy mode in a high availability (HA) configuration. With this
fix, the firewalls send logs only to the active Panorama. |
PAN-93318 | Fixed an issue where firewall CPU usage reached 100 per cent due to SNMP polling for logical interfaces based on updates to the Link Layer Discovery Protocol (LLDP) MIB (LLDP-V2-MIB.my). |
PAN-93244 | A security-related fix was made to prevent a Cross-Site Scripting (XSS) attack through the PAN-OS session browser (CVE-2018-9335). |
PAN-93242 | A security-related fix was made to prevent a Cross-Site Scripting (XSS) vulnerability in a PAN-OS web interface administration page (CVE-2018-9337). |
PAN-93233 | Fixed an issue where PA-7000 Series firewalls caused slow traffic over IPSec VPN tunnels because the firewalls reordered TCP segments during IPSec encryption when the tunnel session and inner traffic session were on different dataplanes. |
PAN-93207 | Fixed an issue where the firewall reported the incorrect hostname when responding to SNMP get requests. |
PAN-93046 | Fixed an issue where administrators whose roles have the Privacy privilege disabled (DeviceAdmin Roles<role>Web UI) can view details about source IP addresses and usernames in the PDF reports exported from the firewall. |
PAN-92958 | Fixed an issue where disk utilization increased unnecessarily because the firewall did not archive and rotate the /var/on file, which therefore grew to over 40MB. |
PAN-92892 | (VM-50 Lite firewalls only) Fixed
an intermittent issue where Failed to back up PAN-DB errors
were reported in the system log due to management plane out-of-memory
errors when a process (devsrvr) attempted to run an
md5 checksum. |
PAN-92821 | Fixed an issue where WildFire Submission
logs did not correctly display the subject fields of emails because
the firewall did not remove white spaces between encoded chunks
in those fields. |
PAN-92676 | Fixed an issue where an administrator whose
Admin Role profile had the Command Line privileges
set to superuser (DeviceAdmin Roles<role>Command Line) could not request tech-support dump from
the CLI. |
PAN-92569 | Fixed an issue where the firewall displayed
a continue-and-override response page when users tried to access
a URL that the firewall incorrectly categorized as unknown because
it learned the URL field as an IP address. |
PAN-92456 | Fixed an issue on the Panorama management
server where administrators couldn't log in to the web interface
because disk space utilization reached 100 per cent due to the continuous
growth of cmserror log files. |
PAN-92366 | Fixed an issue where PA-5200 Series firewalls
in an active/passive high availability (HA) configuration dropped
Bidirectional Forwarding Detection (BFD) sessions when the passive
firewall was in an initialization state after you rebooted it. |
PAN-92149 | Fixed an issue on PA-3250 and PA-3260 firewalls
where the hardware signature match engine was disabled and the PAN-OS
software performed signature matching instead, resulting in a ten
percent degradation in threat detection performance. |
PAN-91689 | Fixed an issue where the Panorama management
server removed address objects and—in the Network tab settings
and NAT policy rules—used the associated IP address values without
reference to the address objects before pushing configurations to firewalls. |
PAN-91421 | Fixed an issue where the firewall dataplane
restarted and resulted in temporary traffic loss when any process
stopped responding while system resource usage was running high. |
PAN-91238 | Fixed an issue where an Aggregate Ethernet
(AE) interface with Link Aggregation Control Protocol (LACP) enabled
on the firewall went down after a cisco-nexus primary virtual port
channel (vPC) switch LACP peer rebooted and came back up. |
PAN-91088 | Fixed an issue on PA-7000 Series firewalls
in a high availability (HA) configuration where the HA3 link did
not come up after you upgraded to PAN-OS 8.1.0 or a later PAN-OS
8.1 release. |
PAN-90920 | Fixed an issue on PA-5200 Series firewalls
where the dataplane restarted due to an internal path monitoring
failure. |
PAN-90692 | Fixed an issue where PA-5200 Series firewalls
dropped offloaded traffic after you enabled session offloading (enabled
by default), configured subinterfaces on the second aggregate Ethernet
(AE) interface group (ae2), and configured QoS on a
non-AE interface. |
PAN-90690 | Fixed an issue where Panorama appliances
ignored the time-zone offset in logs sent from the Traps Endpoint
Security Manager (ESM). |
PAN-90623 | Fixed an issue where the Panorama management
server displayed template configurations as Out of Sync for
firewalls with multiple virtual systems even though the template configurations
were in sync. |
PAN-90418 | Fixed an issue where PA-7000 Series, PA-5200
Series, PA-5000 Series, PA-3200 Series, and PA-3000 Series firewalls
dropped packets because their dataplanes restarted due to QoS queue
corruption. |
PAN-89988 | Fixed an issue where the firewall dataplane
intermittently restarted, causing traffic loss, after you attached
a NetFlow server profile to an interface for which the firewall
assigned an invalid identifier. |
PAN-89794 | Fixed an issue on PA-3050, PA-3060, PA-5000
Series, PA-5200 Series, and PA-7000 Series firewalls in a high availability
(HA) configuration where multicast sessions intermittently stopped
forwarding traffic after HA failover on firewalls with hardware
offloading enabled (default). |
PAN-88674 | Fixed an issue on the Panorama management
server where administrators with the superuser read-only role could
view the Password Hash used to access
a Log Collector CLI after another superuser used browser developer
tools to modify the input type for that field (PanoramaManaged Collectors<Log_Collector>Authentication). |
PAN-88428 | Fixed an issue where the VM-Series firewall
incorrectly displayed network interfaces as having a Link Speed of 1000 and
a Link Duplex set to half when
the actual values were different (NetworkInterfaces<interface>Advanced). |
PAN-87265 | Fixed an issue where the Panorama management
server displayed no output for the User Activity Report (MonitorPDF ReportsUser Activity Report). |
PAN-87079 | (PA-3060, PA-3050, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls only) Fixed an issue where Threat logs displayed an Other IP Flood message instead of identifying the threat name of the correct protocol (such as TCP Flood) when traffic reached the configured SYN flood max-rate threshold (ObjectsSecurity ProfilesDoS Protection<DoS_Protection_profile>Flood ProtectionSYN Flood). |
PAN-86672 | Fixed an issue where in rare cases a commit
caused the disk to become full due to an incorrect disk quota size
value, and as a result the firewall behaved unpredictably (for example,
the web interface and CLI became unresponsive). |
PAN-86647 | Fixed an issue on the Panorama management
server where editing the Description of a
shared policy rule and clicking OK caused
the Target setting to revert to Any firewalls
instead of the selected firewalls. |
PAN-84647 | Fixed an issue with scheduled log exports
that prevented firewalls running in FIPS-CC mode from successfully
exporting the logs using Secure Copy (SCP). |
PAN-84238 | Fixed an issue where the Panorama management
server failed to push configurations to firewalls running a PAN-OS
7.1 release and displayed the following error: wins-server-> primary is invalid |
PAN-80922 | Fixed an issue where the firewall failed
to parse the merged configuration file after you changed the master
key; it parsed only the running configuration file. With this fix,
the firewall parses both files as expected after you change the
master key. |
PAN-68256 | Fixed an issue on PA-7000 Series firewalls
in a high availability (HA) configuration where the HA data link
(HSCI) interfaces intermittently failed to initialize properly during
bootup. |
PAN-48553 | Fixed an issue where, after pushing the
high availability (HA) Group ID from a Panorama management server
to a firewall and overriding the value on the firewall (DeviceHigh AvailabilityGeneralSetup),
the following error displayed even though the value was within the
permitted range: deviceconfig -> high-availability-> group -> should be equal to or between 1 and 63. |