PAN-OS 8.1.3 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 8.1.3 Addressed Issues
PAN-OS® 8.1.3 addressed issues
Issue ID | Description |
---|---|
WF500-4645 | Fixed an issue where RAID rebuilding after
disk replacement either failed or took longer than expected. |
PAN-101101 | Fixed an issue with inconsistencies in the
IP address-to-username mappings after upgrading the User-ID agent
to a User-ID agent 8.1 release. |
PAN-100896 | Fixed an issue where the dataplane restarted
multiple times when multiple processes stopped responding when accessing
invalid memory. |
PAN-100870 | Fixed an issue where the GlobalProtect app
incorrectly displays a warning (Password Warning:Password expires in 0 days)
even though the password has not, yet, expired. |
PAN-100312 | Fixed an intermittent issue where the dataplane
restarted when processing Clientless VPN traffic. |
PAN-100015 | Fixed an issue where a PA-7000 Series firewall
with a 20GQ Network Processing Card (NPC) failed to properly initiate
all QSFP modules. |
PAN-99968 | Fixed an issue where the firewall incorrectly
dropped GTPv2-C Modify Bearer Response packets due to a sequence-number mismatch. |
PAN-99896 | Fixed an issue where the route (routed)
process on a passive firewall in a high availability (HA) cluster
restarted when receiving an update from the active peer for a multicast
route destined for a multicast group that does not exist on the
firewall. |
PAN-99624 | Fixed an issue where emails were not sent
using the configured email service route as expected. |
PAN-99585 | Fixed an issue where a PA-3200 Series firewall
processed traffic that was in suspended mode |
PAN-99584 | Fixed an issue where a PA-5200 Series firewall
processed traffic that was in suspended mode. |
PAN-99380 | Fixed an issue where the dataplane stopped
responding when a tunnel interface on the firewall received fragmented
packets. |
PAN-99362 | Fixed an issue on a VM-Series firewall on
Azure where a process (logrcvr) stopped responding. |
PAN-99316 | Fixed an issue where the SAP Success Factor
app failed to load because the Cipher-cloud was configuring cookies
with the at ( @ ) character in the
cookie name but Palo Alto Networks firewalls used the @ character
as a separator for storing cookies locally, which caused the firewall
to misinterpret the cookies. |
PAN-99263 | Fixed an issue where NetFlow caused an invalid
memory-access issue that caused the pan_task process
to stop responding. |
PAN-99212 | Fixed an issue where the firewall incorrectly
dropped ARP packets and increased the flow_arp_throttle counter. |
PAN-99067 | Fixed an issue where a firewall frequently
flapped a BGP session when the firewall did not receive any response
from the BFD peer or when BFD was configured only on the firewall. |
PAN-98735 | Fixed an issue where upgrading a Panorama
management server on Microsoft Azure from PAN-OS 8.1.0 to PAN-OS
8.1.1 or PAN-OS 8.1.2 resulted in an autocommit failure. |
PAN-98624 | Fixed an issue where an administrator who
has all administrative rights is unable to add a device to Panorama
from the web interface. |
PAN-98530 | Fixed a memory leak associated with the logrcvr process
when using custom syslog filters in a syslog profile. |
PAN-98470 | Fixed an issue on a firewall with GTP stateful
inspection enabled where the firewall incorrectly identified GTP
echo packets as GTP-U application packets. |
PAN-98397 | Fixed an issue on PA-3200 series firewalls
where the offload processor did not process route-deletion update
messages , which left behind stale route entries and caused sessions
to become unresponsive during the session-offload stage. |
PAN-98329 | (PA-3200 Series firewalls only)
Fixed an issue where an SFP+ (10Gbps PAN-SFP-PLUS-CU-5M) transceiver
was incorrectly identified as an SFP (1Gbps) transceiver. |
PAN-98217 | Fixed an issue where user-account group
members in subgroups (n+1) were unnecessarily
queried when nested level was set to n. |
PAN-98116 | Fixed an issue where PA-3000 Series firewalls
passed file descriptors in a dataplane process (pan_comm)
during content (apps and threats) installation and FQDNRefresh job
execution, which caused the hardware Layer 7 engine to identify
applications incorrectly. |
PAN-98097 | Fixed an issue on PA-3000 Series, PA-3200
Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls
where Captive Portal was inaccessible for traffic on Secure HTTP
(https) websites when SSL decryption was enabled and users were
behind a proxy server. |
PAN-98088 | Fixed an issue where an error (mailsend: failed to get stat of file)
appeared in the System log due to an incorrect condition check even
though there were no issues with the firewall sending PDF reports. |
PAN-97905 | Fixed an issue where device-group operations
were discarded when a concurrent commit was triggered by a different
administrator. |
PAN-97810 | Fixed an issue where, after upgrading to
PAN-OS 8.1.1, User-ID usernames were not populated in traffic logs
as expected even though User-ID mappings were present on the dataplane. |
PAN-97724 | Fixed an issue with the Japanese language
mode where a firewall displayed garbled characters when an administrator
was logging in to the web interface. |
PAN-97634 | Fixed an issue where the firewall rebooted
when the management (MGT) interface was connected to a network that
contained a network loop, which caused excessive traffic flow on
the interface. This issue was observed only on a PA-220 firewall. |
PAN-97594 | Fixed an issue where administrators could
not use the new colors that were introduced in PAN-OS 8.1 for creating
and modifying banners and messages; these colors were unavailable
from the CLI and, though available from the web interface (DeviceSetupManagementBanners and MessagesBanners),
administrators received an Operation Failed error
when attempting to use them. |
PAN-97561 | Fixed an issue where a Panorama appliance
running PAN-OS 8.1.2 was unable to connect to the Logging Service. |
PAN-97497 | Fixed an issue where the default for newly
added cloned security rules was Move Top,
which placed the new rule at the top of the list. With this fix,
the default is After Rule as it was in PAN-OS
8.0 and earlier releases. |
PAN-97282 | Fixed an issue where Inbound inspection
failed when a cipher was cleared from the TLS structure during session
resumption. |
PAN-97225 | Fixed an issue where new Vendor names for
the HIP check were not included when Panorama pushed the configuration
to firewalls. |
PAN-97208 | Fixed an issue where a firewall in a high
availability (HA) active/active virtual wire (vwire) configuration
with SSL decryption enabled passed traffic through the wrong firewall. |
PAN-97082 | Fixed an issue where the firewall incorrectly
blocked SSL sessions subjected to Inbound decryption due to UnsupportedVersion when
the Decryption rule referenced a decryption profile with Min
- Max TLS Version, even though Block sessions with
unsupported versions was disabled (ObjectsDecryptionDecryption Profile).
With this fix, the firewall checks the TLS version that the server
accepted and compares it with the decryption profile settings when
evaluating whether to allow or bypass sessions based on Decryption
rules. |
PAN-97060 | Fixed an issue where the User-ID (useridd) process
stopped responding due to an out-of-memory issue related to User-ID
group mapping. |
PAN-97045 | Fixed an issue on PA-850 firewalls where
the session rematch option failed to execute when you added an IP
address to the External Dynamic List (EDL) block list. |
PAN-96997 | Fixed an intermittent issue where detecting
an unreachable WF-500 node took longer than expected. |
PAN-96978 | Fixed an issue where the GlobalProtect
Clientless VPN and GlobalProtect Data options
did not display as expected on Panorama (TemplateDeviceDynamic Updates). |
PAN-96918 | Fixed an issue where an unreachable DNS
server due to aggressive timers increased the time of PPPoE negotiation
and, in some cases, caused negotiation to fail. |
PAN-96909 | A security-related fix was made to address
a Denial of Service (DoS) that existed in the PAN-OS management
web interface and allowed an authenticated user to shut down all
management sessions, which causes the firewall to redirect all logged-in
users to the login page (CVE-2018-10140). |
PAN-96779 | Fixed an issue where using the the XML API
to retrieve Hit Count on a security rule returned an error message: Anerror occurred. See dagger.log for information. |
PAN-96737 | Fixed an issue with an incorrect policy
match because google-docs-base was incorrectly identified as SSL. |
PAN-96388 | Fixed an issue in a non-vsys configuration
where a firewall dropped the Client Hello packet from tunneled traffic
when inbound decryption was enabled because the firewall considered
that packet to be an inter-vsys inbound packet. |
PAN-96326 | Fixed an issue where endpoints could not
authenticate to a GlobalProtect portal or gateway through client
certificate authentication due to an OCSP status of Unknown when
the portal or the gateway used a Certificate profile that specified
Online Certificate Status Protocol (OCSP) to validate certificates (NetworkGlobalProtectPortals<portal>Authentication). |
PAN-96200 | Fixed an issue where PA-220 firewalls that
were bootstrapped with a configuration that enabled jumbo frames
did not change the packet buffer size as expected, which resulted
in a dataplane restart. |
PAN-96150 | Fixed a memory corruption error that caused
the dataplane to restart when content decode length was zero. |
PAN-96113 | Fixed an issue where the show routing protocol bgp rib-out CLI
command did not display advertised routes that the firewall sent
to the BGP peer. This issue was observed only in a deployment where
a firewall is connected to a Border Gateway Protocol (BGP) peer
that advertised a route for which the next hop is not in the same
subnetwork as the BGP peer interface. |
PAN-96003 | Fixed an issue where the GTP Protection
profile name did not appear in the Global Find and Filter options
in the Profile column of the security rule to which the GTP profile
was attached. |
PAN-95996 | Fixed an issue where Panorama virtual appliances
converted from legacy mode to Panorama mode did not properly purge
logs, which caused low disk space issues in /opt/panlogs partition. |
PAN-95993 | Fixed an issue where the firewall did not
properly identify the google-translate application. |
PAN-95955 | Fixed an issue on PA-3200 Series firewalls
where incorrect internal memory allocation reduced the number of
simultaneous SSL decryption sessions that the firewall could support. |
PAN-95884 | Fixed an issue where routing FIB entries
that were learned from a BGP peer were not deleted when BGP Peering
went down. |
PAN-95854 | Fixed an issue where the Filter drop-down
did not display properly when you keep the default Target for a
Policy rule set to Any. |
PAN-95766 | Fixed an issue where Q-in-Q-tagged packets
passed through a firewall without inspection or session creation. |
PAN-95740 | Fixed an issue where multicast FIB entries
were inconsistent across dataplanes, which caused the firewall to
intermittently drop multicast packets. |
PAN-95730 | Fixed an issue where a firewall dropped
SIP-RTP packets flowing through a GRE tunnel when a Tunnel Inspection
Policy was configured with Security Options (Tunnel Inspection zones). |
PAN-95712 | Fixed an issue where browsers failed to
load custom response pages on decrypted websites when those pages
were larger than 8,191 bytes. With this fix, the firewall supports
decryption of custom response pages up to 17,999 bytes. |
PAN-95509 | Fixed an issue where the parent device group
in the hierarchy did not automatically acquire read-only access
for a URL Profile as expected after you assigned write access to
a child device group of that parent. |
PAN-95476 | Fixed an issue where a certificate failed
to load when the certificate public key exceeded the supported number
of characters (2,048). |
PAN-95439 | Fixed an issue where using the test nat-policy-match command
from the XML API does not result in any matches when the matching
policy is a destination NAT policy. |
PAN-95339 | Fixed an issue where a firewall sent packets
out of order when the sending rate was too high. |
PAN-95192 | Fixed an issue where the SSL Certificate
Error Notify page didn't display the <certname/> <issuer/> variables
in the SSL-cert-status-page. |
PAN-95120 | Fixed an issue where VM-Series firewall
bootstrapping failed when you transferred the bootstrap package
using a base64 encoded user-data file. |
PAN-95114 | Fixed an issue where TACACS+ authorization
responded with Illegal packet version because
a firewall was incorrectly sending minor version 1,
which impacts TACACS+ servers and causes a failed authorization. |
PAN-95113 | Fixed an where issue where non-local administrators
using TACACS were unable to log in to the CLI. |
PAN-95090 | Fixed an issue where imported custom applications
did not display in Security Policies that were created through the
web interface. |
PAN-95061 | Fixed an issue on PA-220 firewalls where
either a commit or an EDLRefresh job failed with the following error
message: failed to handle CONFIG_UPDATE_START.
This issue occurred after an increase in the number of type URL
entries in an external dynamic list. |
PAN-95046 | Fixed an issue where the dataplane restarted
on a VM-Series firewall on KVM. |
PAN-94920 | Fixed an issue where PA-5200 Series firewalls
in a high availability (HA) active/active configuration experienced
internal packet corruption that caused the firewalls to stop passing
traffic when the active member of a cluster came back up as passive
after being either suspended or rebooted (moving from tentative
to passive state). |
PAN-94864 | Fixed an issue where firewalls receiving
IP addresses via DHCP failed to resolve FQDN objects to an IP address. |
PAN-94777 | Fixed an issue where a 500Internal Server error
occurred for traffic that matched a Security policy rule with a
URL Filtering profile that specified a continue action (ObjectsSecurity ProfilesURL Filtering) because the
firewall did not treat the API keys as binary strings. |
PAN-94698 | Fixed an issue on PA-5000 Series firewalls
where a process (all_pktproc) on the dataplane stopped
responding if you enabled the send icmp unreachable Action
Setting (Policies<rule>Actions). |
PAN-94646 | Fixed an issue with firewalls in a high
availability (HA) configuration where a an HA sync initiated from
the active peer caused a race condition while processing the previous
request. |
PAN-94637 | Fixed an issue where an XML API call to
execute the request system external-list show command
did not escape the ampersand ( & )
character in the Source section of the XML output, which resulted
in a parse error. |
PAN-94571 | Fixed an issue on PA-800 Series, PA-3200
Series, and PA-5200 Series firewalls where tunnel-bound traffic
was incorrectly routed through an ECMP route instead of a PBF route
as expected. |
PAN-94497 | Fixed an issue where the default static
route was not present in the routing table after you removed the
DHCP-provided default gateway when you configured a default static
route and DHCP provided the same default route. |
PAN-94452 | Fixed an issue where the firewall recorded
GPRS Tunneling Protocol (GTP) packets multiple times in firewall-stage
packet captures (pcaps). |
PAN-94447 | Fixed an issue where deleting all FQDN objects
that are no longer in use did not remove them from the FQDN refresh
table, which caused firewalls to continue resolving these old objects
per the schedule. |
PAN-94409 | Fixed an issue where FTP traffic failed
and hit an incorrect security policy due to missing predict sessions. |
PAN-94291 | Fixed an issue where a firewall failed to
process packets if the previous session was cleared (either from
the CLI or web interface), the client uses the same source port,
and when the new session is installed on dataplane1 (dp1). |
PAN-94290 | Fixed an issue where fragmented packets
were dropped when traversing a firewall in an HA active/active configuration. |
PAN-94221 | Fixed an issue when QoS was configured where
the dataplane restarted due to a packet process failure. |
PAN-94124 | Fixed an issue where a PA-800 Series firewall
dropped UDP packets traversing port 0. |
PAN-94062 | Fixed an issue where the dataplane stopped
responding due to a failed packet buffer initialization after the
firewall rebooted. |
PAN-94043 | Fixed an issue where, when an administrator
made and committed partial changes, the disabled address objects
used in a disabled security policy were pushed from Panorama and
retained on the firewall but were deleted when an administrator
performed a full commit from Panorama. |
PAN-93990 | Fixed an issue where a VM-Series firewall
was unable to ping the gateway in a multiple virtual router configuration
when interfaces received IP address through DHCP. |
PAN-93973 | Fixed an issue on an M-100 appliance where
logging stopped when a process (vldmgr) stopped responding. |
PAN-93864 | Fixed an issue where the password field
did not display in the GlobalProtect portal login dialog if you
attached the certificate profile to the portal configuration. |
PAN-93811 | Fixed an issue where the Panorama task manager
view on the web interface stopped responding after multiple appliances
reported multiple errors and warnings in commit job details. |
PAN-93754 | A security-related fix was made to address
vulnerabilities related to some SAML implementations (CVE-2018-0486
and CVE-2018-0489). Refer to www.kb.cert.org/vuls/id/475445 for details. |
PAN-93753 | Fixed an issue on PA-200 firewalls where
disk space usage was constantly running high and often reaching
maximum capacity. With this fix, the PA-200 firewall purges logs
more quickly and it no longer requires as much space for monitor
daemons. |
PAN-93609 | Fixed an issue where the firewall silently
dropped the first packet of a session when that packet was received
as a fragmented packet (typically with UDP traffic). |
PAN-93457 | Fixed an issue where continuous renewal
for a session that went into DISCARD state when the firewall reached
its resource limit prevented the creation of new sessions that matched
that DISCARD session. |
PAN-93331 | Fixed an issue where the firewall applied
the wrong checksum when a re-transmitted packet in a NAT session
had different TCP flags, which caused the recipient to drop those
packets. |
PAN-93329 | Fixed an issue where the non-session-owner
firewall in a high availability (HA) active/active configuration
with asymmetric traffic flow dropped TCP traffic when TCP reassembly
failed. |
PAN-93152 | Fixed an intermittent Panorama issue where,
after upgrading to PAN-OS 8.0 or a later release and when connected
to a WF-500 appliance, commit validations failed due to a mismatched
threat ID range on the WildFire private cloud. |
PAN-93005 | Fixed an issue where the firewall generated
System logs with high severity for Dataplane undersevere load conditions
that did not affect traffic. With this fix, the System logs have
low severity for Dataplaneunder severe load conditions
that do not affect traffic. |
PAN-92745 | Fixed an issue where the Vulnerability Protection
profile exceptions view included threat IDs that were disabled or
not supported for the PAN-OS release version. Now, only IDs for
signatures that are included in the currently-installed content
package are displayed. |
PAN-92740 | Fixed an issue in an NSX environment where
the Panorama management server displayed an incorrect number of
tags under Dynamic Address Groups when you configured a static tag
in one or more address groups. |
PAN-92609 | Fixed an issue where the firewall could
not forward full information for a Protocol-Independent Multicast
(PIM) group to a peer PIM router when the PIM bootstrap message
was larger than the maximum transmission unit (MTU) of the firewall
interface. |
PAN-92548 | Fixed an intermittent issue where a race
condition caused the Logging Service or WF-500 appliances to disconnect
from or become unresponsive to firewalls or the Panorama management
server. |
PAN-92257 | Fixed an issue where the firewall was intermittently
sending incorrect bytes-per-packet values for some flows to the
NetFlow collector. |
PAN-92105 | Fixed an issue where the Panorama Log Collectors
did not receive some firewall logs and took longer than expected
to receive all logs when a Collector Group had spaces in its name. |
PAN-92033 | Fixed an issue during the software download
process that prevented some firewalls and appliances from properly
receiving these images. |
PAN-92017 | Fixed an issue where Log Collectors that
belonged to a collector group with a space in its name failed to
fully connect to one another, which affected log visibility and
logging performance. |
PAN-91926 | Fixed an issue where GlobalProtect users
could not access some websites decrypted by the firewall due to
an issue with premature deletion of proxy sessions. |
PAN-91662 | Fixed an issue where a certificate was loaded
without a digital signature, which caused the configuration (configd) daemon
to stop responding. |
PAN-91316 | Fixed an issue where you couldn't unlock
administrator accounts with expired passwords because the firewall
didn't display a lock icon for their accounts in the Locked User
column (DeviceAdministrators). |
PAN-91259 | Fixed an issue where the predict session
for the rmi-iiop application was not created correctly, which caused
server-to-client initiated sessions to traverse slow-path inspection
and, eventually, policy rules denied the traffic associated with
these sessions. |
PAN-91021 | Fixed an issue where, in a multiple virtual
system (vsys) configuration on Panorama, you could not add a certificate
defined in vsys to a certificate profile in the same vsys unless
the vsys was defined using the default name. |
PAN-90952 | Fixed an issue on PA-5000 Series firewalls
where multicast traffic failed because PAN-OS did not remove stale
sessions from the hardware session offload processor. |
PAN-90752 | Fixed an issue on Panorama where the Last
Commit State column (PanoramaManaged Devices) did not get
updated after a Template-Only configuration push to firewalls. |
PAN-90535 | Fixed an issue where the firewall unnecessarily
sent an Authorize-only request to the RADIUS server which was denied
during the login process if you disabled the Retrieve Framed-IP-Address
attribute from authentication server (NetworkGlobalProtectGateways<gateway>AgentClient Settings<clients_configuration>IP Pools) in the GlobalProtect
gateway configuration. |
PAN-89620 | Fixed an intermittent issue where traffic
stopped flowing through the IPSec tunnel in a hub-and-spoke multiple-vendor
configuration. |
PAN-89346 | Fixed an issue where an XML API call to
execute the show system raid detail command
returned an error. |
PAN-88473 | Fixed an issue where the firewall was sending
incorrect bytes-per-packet values to the NetFlow collector when
two servers were configured in the same NetFlow profile. |
PAN-88048 | Fixed an issue where a VM-Series firewall
on KVM in MMAP mode didn't receive traffic after you enabled the
i40e single-root input/output virtualization (SR-IOV) virtual function
(VF). |
PAN-87855 | Fixed an issue where some ICMP Type 4 traffic
was not blocked as expected after you created a deny Security policy
rule with custom App-ID for ICMP Type 4 traffic. |
PAN-87166 | Fixed a rare issue on PA-7000 Series firewalls
where 20GQ NPC QSFP+ ports didn't link up (during online insertion
and removal (OIR), link-state change, or boot up events) and became
unrecoverable until the NPC was restarted. |
PAN-86769 | Fixed an issue where a firewall did not
forward logs when using the category eq command-and-control filter. |
PAN-86630 | Fixed an issue where the firewall dropped
H.323 gatekeeper-assisted calls after failing to perform NAT translation
of third-party addresses in H.323 messages. |
PAN-86327 | Fixed an issue where the firewall rebooted
into maintenance mode. |
PAN-85522 | Fixed an issue on PA-5200 Series firewalls
where an SFP+ (10Gbps) transceiver (PAN-SFP-PLUS-CU-5M) was incorrectly
identified as an SFP (1Gbps) transceiver. |
PAN-83153 | Fixed an issue where a Panorama virtual
appliance in Legacy mode that was deployed in a high availability
(HA) configuration did not receive logs forwarded from PA-7000 Series
and PA-5200 Series firewalls. |
PAN-83047 | Fixed an issue where the firewall displayed
the following commit warning when you configured a GlobalProtect
gateway with a Tunnel Interface set to the
default tunnel interface (NetworkGlobalProtectGateways<gateway>General) even after you enabled
IPv6: Warning: tunnel tunnel ipv6 is not enabled. IPv6 address will be ignored! |
PAN-80091 | Fixed an issue where no results were returned
for a Global Find request when using the short name domain\group
format. |
PAN-79291 | Fixed an intermittent issue with ZIP hardware offloading where firewalls identified ZIP files as threats when they were sent over Simple Mail Transfer Protocol (SMTP). |
PAN-42036 | Fixed a rare intermittent issue on PA-800
Series, PA-2000 Series, PA-3000 Series, PA-5000 Series, PA-5200
Series, and PA-7000 Series firewalls where the firewall unexpectedly
rebooted due to memory page allocation failure, which generated
a non-maskable interrupt (NMI) watchdog error on the serial console. |
PAN-33746 | Fixed an issue where the firewall dropped
IKE traffic when another IKE session was in the discard state on
the firewall because the the new session matched the discard session.
This issue persisted because the discard sessions remained on the
firewall longer than expected because the firewall refreshed the
discard-session timeout each time the 5-tuple on a new session matched
the 5-tuple on the discard session. |