PAN-OS 8.1.2 Addressed Issues

PAN-OS® 8.1.2 addressed issues
Issue ID
Description
WF500-4625
Fixed an issue where the WF-500 appliance provided no option to configure the master key. With this fix, you can use the
request master-key new-master-key
<key>
lifetime
<lifetime>
CLI command to configure the master key.
PAN-97531
Fixed an issue on PA-3200 Series firewalls where powering down a copper interface disrupted the operations of other interfaces that were grouped with it at the hardware level.
PAN-97283
Fixed an issue on PA-3200 Series firewalls where SFP/SFP+ ports intermittently failed to come up after a reboot.
PAN-97003
Fixed an issue on offline VM-Series firewalls where the web interface and CLI did not display license information after you activated licenses.
PAN-96938
Fixed an issue with dataplane restarts when the mix of network traffic included a high ratio of RTP and RTP Control Protocol (RTCP) traffic.
PAN-96734
Fixed an issue where a process (
configd
) stopped responding during a partial revert operation when reverting an interface configuration.
PAN-96622
Fixed an issue where the GlobalProtect™ portal landing page did not return the HTTP Strict Transport Security (HSTS) header in the error response page when sending the response to an endpoint.
PAN-96587
Fixed an issue where PA-7000 Series and PA-5200 Series firewalls intermittently failed to forward logs to Log Collectors or the Logging Service due to DNS resolution failure for the FQDNs of those log receivers.
PAN-96572
Fixed an issue where, after end users successfully authenticated for access to a service or application, their web browsers briefly displayed a page indicating authentication completed and then they were redirected to an unknown URL that the user did not specify.
PAN-96490
Fixed an issue where syslog servers misrepresented HIP Match, Authentication, and User-ID™ logs received from the firewall because the order changed in the first seven syslog fields for those log types. With this fix, the first seven syslog fields are the same for all log types.
PAN-96102
Fixed an issue on the Panorama™ management server where partial revert operations failed with the following error after you used the PAN-OS® XML API to create template stacks:
template-stack-> is missing 'settings' template-stack is invalid
.
PAN-96088
Fixed an issue where the active firewall in a high availability (HA) configuration did not synchronize the GlobalProtect data file to the passive firewall.
PAN-95895
Fixed an issue on firewalls that collect port-to-username mappings from Terminal Services agents where the firewalls didn't enforce user-based policies correctly because the dataplane had incorrect primary-to-alternative-username mappings even after you cleared the User-ID cache.
PAN-95736
Fixed an issue where the
mprelay
process stopped responding when a commit occurred while the firewall was identifying flows that needed a NetFlow update.
PAN-95683
Fixed an issue where, after you upgraded the firewall to PAN-OS 8.1, a
500 Internal Server
error occurred for traffic that matched a Security policy rule with a URL Filtering profile that specified a
continue
action (
Objects
Security Profiles
URL Filtering
) because the firewall did not correctly apply AES encryption or synchronize the associated API key between the management plane and dataplane.
PAN-95513
Fixed an issue on the Panorama management server where selecting additional target firewalls for a shared policy rule cleared any existing firewall selections for that rule (
Panorama
Policies
<policy_type>
{Pre Rules | Post Rules | Default Rules}
Target
).
PAN-95486
Fixed an issue with VM-Series firewalls on Azure where dynamic updates failed for the GlobalProtect Data File when you scheduled the updates using the management interface.
PAN-95445
This fix requires the VMware NSX 2.0.4 or a later plugin.
Fixed an issue where VM-Series firewalls for NSX and firewalls in an NSX notify group (
Panorama
VMware NSX
Notify Group
) briefly dropped traffic while receiving dynamic address updates after the primary Panorama in a high availability (HA) configuration failed over.
PAN-95443
Fixed an issue where a VM-Series firewall on KVM in DPDK mode didn't receive traffic after you configured it to use the i40e single-root input/output virtualization (SR-IOV) virtual function (VF). This fix requires that you install i40e driver version 2.1.16 or later, and that you set the VF to be trusted by running the following CLI command on the KVM host:
ip link set dev eth0 vf 1 trust on
PAN-95197
Fixed an issue where mobile endpoints that used GPRS Tunneling Protocol (GTP) lost traffic and had to reconnect because the firewall dropped the response message that a Gateway GPRS support node (GGSN) sent for a second Packet Data Protocol (PDP) context update.
PAN-95163
Fixed an issue where, after you added group mapping configurations, an out-of-memory condition developed that intermittently caused the User-ID process (
useridd
) to restart and temporarily prevented the firewall from receiving updates to user mappings and group mappings.
PAN-95130
Fixed an issue on the firewall and Panorama management server where you could not assign tags that contained a colon (
:
) to service or service group objects.
PAN-95124
Fixed an issue where the firewall did not correctly modify the Configuration XML file (by removing
ctd skip-block-http-range
) when you upgraded from PAN-OS 8.0 to PAN-OS 8.1.
PAN-95056
Fixed an issue on the Panorama management server where the
configd
process restarted when an external health monitoring script (such as GoldenGate) executed against Panorama, which became unusable until configd finished restarting.
PAN-94917
Fixed an issue on Panorama Log Collectors where the
show system masterkey-properties
CLI command did not display the master key lifetime and reminder settings.
PAN-94912
Fixed an issue where PA-5200 Series and PA-3200 Series firewalls in an active/active high availability (HA) configuration sent packets in the wrong direction in a virtual wire deployment.
PAN-94853
Fixed an issue where mobile endpoints that use GPRS Tunneling Protocol (GTP) lose GTP-U traffic because the firewall dropped all GTP-U packets as packets without sessions after receiving two GTP requests with the same tunnel endpoint identifiers (TEIDs) and IP addresses.
PAN-94697
Fixed an issue where commit failures occurred after you configured a DHCP-enabled subinterface as the local Interface for an IKE gateway configuration (
Network
Network Profiles
IKE Gateways
<IKE_gateway>
General
).
PAN-94586
Fixed an issue where the Panorama management server exported reports slowly or not at all due to DNS resolution failures.
PAN-94582
Fixed an issue where the firewall did not correctly re-learn a User-ID mapping after that mapping was temporarily lost and recovered through successful WMI probing.
PAN-94578
Fixed an issue where WildFire submissions with a filename that contained
%20n
or a subject that contained
%n
caused the management server (
mgmtsrvr
) process to stop responding.
PAN-94575
Fixed an issue where a Panorama management server running PAN-OS 8.1 failed to push host information profile (HIP) objects that specified
Encrypted Locations
with
State
values to firewalls running PAN-OS 8.0 or an earlier release (
Objects
GlobalProtect
HIP Objects
<HIP_object>
Disk Encryption
Criteria
<encrypted_location>
).
PAN-94516
Fixed an issue on PA-500, PA-220, PA-220-R, and PA-200 firewalls where commits failed after the Panorama management server pushed a Decryption profile that you configured to
Block sessions if HSM not available
to firewalls that did not support a hardware security module (HSM).
PAN-94510
Fixed an issue where the total log storage utilization that the firewall displayed did not account for
IP Tag
storage that was set to less than two per cent (
Device
Setup
Management
Logging and Reporting Settings
Log Storage
).
PAN-94450
Fixed an issue where QSFP+ interfaces (13 and 14) on a PA-7000-20GQ-NPC Network Processing Card (NPC) unexpectedly flapped when the card was booting up.
PAN-94413
Fixed an issue on Panorama M-Series and virtual appliances where the hash of the shared policy was incorrectly calculated, which caused an in-sync shared policy status to display as
out-of-sync
.
PAN-94382
Fixed an issue on the Panorama management server where the Task Manager displayed
Completed
status immediately after you initiated a push operation to firewalls (
Commit all
job) even though the push operation was still in progress.
PAN-94318
Fixed an issue where the VM-Series firewall for Azure intermittently failed to resolve URLs and generated the following error because Azure prematurely timed out the connection to the PAN-DB cloud after four minutes:
Failed tosend Update Request to the Cloud.
PAN-94278
Fixed an issue where a Panorama Collector Group forwarded Threat and WildFire® Submission logs to the wrong external server after you configured match list profiles with the same name for both log types (
Panorama
Collector Groups
<Collector_Group>
Collector Log Forwarding
{Threat | WildFire}
<match_list_profile>
).
PAN-94239
Fixed an issue where the firewall routed Open Shortest Path First (OSPF) unicast hello messages (P2MP non-broadcast) using a forwarding information base (FIB) instead of sending the messages over the interface to which the OSPF neighbor connected.
PAN-94187
Fixed an issue where the firewall did not apply tag-based matching rules for dynamic address groups unless you enclosed the tag names with single quotes (
'<tag_name>'
) in the matching rules (
Objects
Address Groups
<address_group>
).
PAN-94167
Fixed an issue where a firewall forwarded a deleted or expired IP address-to-username mapping to another firewall through User-ID Redistribution but the receiving firewall still displayed the mapping as an active IP address-to-username mapping.
PAN-94165
Fixed an issue where the firewall used an incorrect next hop in the Border Gateway Protocol (BGP) route that it advertised to External BGP (eBGP) peers in the BGP peer group.
PAN-94163
Fixed an issue on firewalls deployed in virtual wire mode where SSL decryption failed due to a memory pool allocation failure.
PAN-94122
Fixed an issue where firewalls intermittently blocked SSL traffic due to a certificate timeout error after you enabled SSL Forward Proxy decryption and configured the firewall to
Block sessions on certificate status check timeout
(
Objects
Decryption
Decryption Profile
<Decryption_profile>
SSL Decryption
SSL Forward Proxy
).
PAN-94070
Fixed an issue where Bidirectional Forwarding Detection (BFD) sessions were active in only one virtual router when two or more virtual routers had active BGP sessions (with BFD enabled) using the same peer IP address.
PAN-94058
(
GlobalProtect configurations only
) Fixed an issue where a configured Layer 3 interface erroneously opened ports 28869/tcp and 28870/tcp on the IP address assigned to that Layer 3 interface.
PAN-94023
Fixed an issue where the
request system external-list show type ip name
<EDL_name>
CLI command did not display external dynamic list entries after you restarted the management server (
mgmtsrvr
) process.
PAN-93937
Fixed an issue where the management server (
mgmtsrvr
) process on the firewall restarted when you pushed configurations from the Panorama management server.
PAN-93889
Fixed an issue where the Panorama management server generated high-severity System logs with the
Syslogconnection established to server
message after you configured Traps log ingestion (
Panorama
Log Ingestion Profile
) for forwarding to a syslog server (
Panorama
Server Profiles
Syslog
) and committed configuration changes (
Commit
Commit to Panorama
).
PAN-93755
Fixed an issue where SSL decrypted traffic failed after you configured the firewall to
Enforce Symmetric Return
in Policy Based Forwarding (PBF) policy rules (
Policies
Policy Based Forwarding
).
PAN-93722
Fixed an issue where the firewall failed to perform decryption because endpoints tried to resume decrypted inbound perfect forward secrecy (PFS) sessions.
PAN-93715
In certain customer environments, enhancements in PAN-OS 8.1.2 to change fan speeds may help reduce rare cases of drive communication failure in PA-5200 Series firewalls.
PAN-93705
Fixed an issue where configuring additional interfaces (such as ethernet1/1 or ethernet1/2) on the Panorama management server in Management Only mode caused an attempt to create a local Log Collector when you committed the configuration (
Panorama
Setup
Interfaces
), which caused the commit to fail because a local Log Collector is not supported on a Panorama management sever in Management Only mode.
PAN-93522
Fixed an issue on firewalls in a high availability (HA) configuration where traffic was disrupted because the dataplane restarted unexpectedly when the firewall concurrently processed HA messages and packets for the same session. This issue occurred on all firewall models except the PA-200 and VM-50 firewalls.
PAN-93412
Fixed an issue where the Security policy rules pushed from Panorama to a firewall did not display in the list of available rules in the global filters list in the Application Command Center (ACC).
PAN-93411
Fixed an issue on VM-Series firewalls for KVM where applications that relied on multicasting failed because the firewalls filtered multicast traffic by the physical function (PF) after you configured them to use single root I/O virtualization (SR-IOV) virtual function (VF) devices.
PAN-93410
Fixed an issue where PA-5200 Series firewalls sent logs to the passive or suspended Panorama virtual appliance in Legacy mode in a high availability (HA) configuration. With this fix, the firewalls send logs only to the active Panorama.
PAN-93318
Fixed an issue where firewall CPU usage reached 100 per cent due to SNMP polling for logical interfaces based on updates to the Link Layer Discovery Protocol (LLDP) MIB (LLDP-V2-MIB.my).
PAN-93244
A security-related fix was made to prevent a Cross-Site Scripting (XSS) attack through the PAN-OS session browser (CVE-2018-9335).
PAN-93242
A security-related fix was made to prevent a Cross-Site Scripting (XSS) vulnerability in a PAN-OS web interface administration page (CVE-2018-9337).
PAN-93233
Fixed an issue where PA-7000 Series firewalls caused slow traffic over IPSec VPN tunnels because the firewalls reordered TCP segments during IPSec encryption when the tunnel session and inner traffic session were on different dataplanes.
PAN-93207
Fixed an issue where the firewall reported the incorrect hostname when responding to SNMP get requests.
PAN-93046
Fixed an issue where administrators whose roles have the
Privacy
privilege disabled (
Device
Admin Roles
<role>
Web UI
) can view details about source IP addresses and usernames in the PDF reports exported from the firewall.
PAN-92958
Fixed an issue where disk utilization increased unnecessarily because the firewall did not archive and rotate the
/var/on
file, which therefore grew to over 40MB.
PAN-92892
(
VM-50 Lite firewalls only
) Fixed an intermittent issue where
Failed to back up PAN-DB
errors were reported in the system log due to management plane out-of-memory errors when a process (
devsrvr
) attempted to run an md5 checksum.
PAN-92821
Fixed an issue where WildFire Submission logs did not correctly display the subject fields of emails because the firewall did not remove white spaces between encoded chunks in those fields.
PAN-92676
Fixed an issue where an administrator whose Admin Role profile had the
Command Line
privileges set to
superuser
(
Device
Admin Roles
<role>
Command Line
) could not
request tech-support dump
from the CLI.
PAN-92569
Fixed an issue where the firewall displayed a continue-and-override response page when users tried to access a URL that the firewall incorrectly categorized as unknown because it learned the URL field as an IP address.
PAN-92456
Fixed an issue on the Panorama management server where administrators couldn't log in to the web interface because disk space utilization reached 100 per cent due to the continuous growth of
cmserror
log files.
PAN-92366
Fixed an issue where PA-5200 Series firewalls in an active/passive high availability (HA) configuration dropped Bidirectional Forwarding Detection (BFD) sessions when the passive firewall was in an initialization state after you rebooted it.
PAN-92149
Fixed an issue on PA-3250 and PA-3260 firewalls where the hardware signature match engine was disabled and the PAN-OS software performed signature matching instead, resulting in a ten percent degradation in threat detection performance.
PAN-91689
Fixed an issue where the Panorama management server removed address objects and—in the
Network
tab settings and NAT policy rules—used the associated IP address values without reference to the address objects before pushing configurations to firewalls.
PAN-91421
Fixed an issue where the firewall dataplane restarted and resulted in temporary traffic loss when any process stopped responding while system resource usage was running high.
PAN-91238
Fixed an issue where an Aggregate Ethernet (AE) interface with Link Aggregation Control Protocol (LACP) enabled on the firewall went down after a cisco-nexus primary virtual port channel (vPC) switch LACP peer rebooted and came back up.
PAN-91088
Fixed an issue on PA-7000 Series firewalls in a high availability (HA) configuration where the HA3 link did not come up after you upgraded to PAN-OS 8.1.0 or a later PAN-OS 8.1 release.
PAN-90920
Fixed an issue on PA-5200 Series firewalls where the dataplane restarted due to an internal path monitoring failure.
PAN-90692
Fixed an issue where PA-5200 Series firewalls dropped offloaded traffic after you enabled session offloading (enabled by default), configured subinterfaces on the second aggregate Ethernet (AE) interface group (
ae2
), and configured QoS on a non-AE interface.
PAN-90690
Fixed an issue where Panorama appliances ignored the time-zone offset in logs sent from the Traps Endpoint Security Manager (ESM).
PAN-90623
Fixed an issue where the Panorama management server displayed template configurations as
Out of Sync
for firewalls with multiple virtual systems even though the template configurations were in sync.
PAN-90418
Fixed an issue where PA-7000 Series, PA-5200 Series, PA-5000 Series, PA-3200 Series, and PA-3000 Series firewalls dropped packets because their dataplanes restarted due to QoS queue corruption.
PAN-89988
Fixed an issue where the firewall dataplane intermittently restarted, causing traffic loss, after you attached a NetFlow server profile to an interface for which the firewall assigned an invalid identifier.
PAN-89794
Fixed an issue on PA-3050, PA-3060, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls in a high availability (HA) configuration where multicast sessions intermittently stopped forwarding traffic after HA failover on firewalls with hardware offloading enabled (default).
PAN-88674
Fixed an issue on the Panorama management server where administrators with the superuser read-only role could view the
Password Hash
used to access a Log Collector CLI after another superuser used browser developer tools to modify the input type for that field (
Panorama
Managed Collectors
<Log_Collector>
Authentication
).
PAN-88428
Fixed an issue where the VM-Series firewall incorrectly displayed network interfaces as having a
Link Speed
of
1000
and a
Link Duplex
set to
half
when the actual values were different (
Network
Interfaces
<interface>
Advanced
).
PAN-87265
Fixed an issue where the Panorama management server displayed no output for the User Activity Report (
Monitor
PDF Reports
User Activity Report
).
PAN-87079
(
PA-3060, PA-3050, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls only
) Fixed an issue where Threat logs displayed an
Other IP Flood
message instead of identifying the threat name of the correct protocol (such as
TCP Flood
) when traffic reached the configured SYN flood max-rate threshold (
Objects
Security Profiles
DoS Protection
<DoS_Protection_profile>
Flood Protection
SYN Flood
).
PAN-86672
Fixed an issue where in rare cases a commit caused the disk to become full due to an incorrect disk quota size value, and as a result the firewall behaved unpredictably (for example, the web interface and CLI became unresponsive).
PAN-86647
Fixed an issue on the Panorama management server where editing the
Description
of a shared policy rule and clicking
OK
caused the
Target
setting to revert to
Any
firewalls instead of the selected firewalls.
PAN-84647
Fixed an issue with scheduled log exports that prevented firewalls running in FIPS-CC mode from successfully exporting the logs using Secure Copy (SCP).
PAN-84238
Fixed an issue where the Panorama management server failed to push configurations to firewalls running a PAN-OS 7.1 release and displayed the following error:
wins-server-> primary is invalid
PAN-80922
Fixed an issue where the firewall failed to parse the merged configuration file after you changed the master key; it parsed only the running configuration file. With this fix, the firewall parses both files as expected after you change the master key.
PAN-68256
Fixed an issue on PA-7000 Series firewalls in a high availability (HA) configuration where the HA data link (HSCI) interfaces intermittently failed to initialize properly during bootup.
PAN-48553
Fixed an issue where, after pushing the high availability (HA) Group ID from a Panorama management server to a firewall and overriding the value on the firewall (
Device
High Availability
General
Setup
), the following error displayed even though the value was within the permitted range:
deviceconfig -> high-availability-> group -> should be equal to or between 1 and 63.

Recommended For You