PAN-OS 8.1.3 Addressed Issues

PAN-OS® 8.1.3 addressed issues
Issue ID
Fixed an issue where RAID rebuilding after disk replacement either failed or took longer than expected.
Fixed an issue with inconsistencies in the IP address-to-username mappings after upgrading the User-ID agent to a User-ID agent 8.1 release.
Fixed an issue where the dataplane restarted multiple times when multiple processes stopped responding when accessing invalid memory.
Fixed an issue where the GlobalProtect app incorrectly displays a warning (Password Warning:Password expires in 0 days) even though the password has not, yet, expired.
Fixed an intermittent issue where the dataplane restarted when processing Clientless VPN traffic.
Fixed an issue where a PA-7000 Series firewall with a 20GQ Network Processing Card (NPC) failed to properly initiate all QSFP modules.
Fixed an issue where the firewall incorrectly dropped GTPv2-C Modify Bearer Response packets due to a sequence-number mismatch.
Fixed an issue where the route (routed) process on a passive firewall in a high availability (HA) cluster restarted when receiving an update from the active peer for a multicast route destined for a multicast group that does not exist on the firewall.
Fixed an issue where emails were not sent using the configured email service route as expected.
Fixed an issue where a PA-3200 Series firewall processed traffic that was in suspended mode
Fixed an issue where a PA-5200 Series firewall processed traffic that was in suspended mode.
Fixed an issue where the dataplane stopped responding when a tunnel interface on the firewall received fragmented packets.
Fixed an issue on a VM-Series firewall on Azure where a process (logrcvr) stopped responding.
Fixed an issue where the SAP Success Factor app failed to load because the Cipher-cloud was configuring cookies with the at ( @ ) character in the cookie name but Palo Alto Networks firewalls used the @ character as a separator for storing cookies locally, which caused the firewall to misinterpret the cookies.
Fixed an issue where NetFlow caused an invalid memory-access issue that caused the pan_task process to stop responding.
Fixed an issue where the firewall incorrectly dropped ARP packets and increased the flow_arp_throttle counter.
Fixed an issue where a firewall frequently flapped a BGP session when the firewall did not receive any response from the BFD peer or when BFD was configured only on the firewall.
Fixed an issue where upgrading a Panorama management server on Microsoft Azure from PAN-OS 8.1.0 to PAN-OS 8.1.1 or PAN-OS 8.1.2 resulted in an autocommit failure.
Fixed an issue where an administrator who has all administrative rights is unable to add a device to Panorama from the web interface.
Fixed a memory leak associated with the logrcvr process when using custom syslog filters in a syslog profile.
Fixed an issue on a firewall with GTP stateful inspection enabled where the firewall incorrectly identified GTP echo packets as GTP-U application packets.
Fixed an issue on PA-3200 series firewalls where the offload processor did not process route-deletion update messages , which left behind stale route entries and caused sessions to become unresponsive during the session-offload stage.
(PA-3200 Series firewalls only) Fixed an issue where an SFP+ (10Gbps PAN-SFP-PLUS-CU-5M) transceiver was incorrectly identified as an SFP (1Gbps) transceiver.
Fixed an issue where user-account group members in subgroups (n+1) were unnecessarily queried when nested level was set to n.
Fixed an issue where PA-3000 Series firewalls passed file descriptors in a dataplane process (pan_comm) during content (apps and threats) installation and FQDNRefresh job execution, which caused the hardware Layer 7 engine to identify applications incorrectly.
Fixed an issue on PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls where Captive Portal was inaccessible for traffic on Secure HTTP (https) websites when SSL decryption was enabled and users were behind a proxy server.
Fixed an issue where an error (mailsend: failed to get stat of file) appeared in the System log due to an incorrect condition check even though there were no issues with the firewall sending PDF reports.
Fixed an issue where device-group operations were discarded when a concurrent commit was triggered by a different administrator.
Fixed an issue where, after upgrading to PAN-OS 8.1.1, User-ID usernames were not populated in traffic logs as expected even though User-ID mappings were present on the dataplane.
Fixed an issue with the Japanese language mode where a firewall displayed garbled characters when an administrator was logging in to the web interface.
Fixed an issue where the firewall rebooted when the management (MGT) interface was connected to a network that contained a network loop, which caused excessive traffic flow on the interface. This issue was observed only on a PA-220 firewall.
Fixed an issue where administrators could not use the new colors that were introduced in PAN-OS 8.1 for creating and modifying banners and messages; these colors were unavailable from the CLI and, though available from the web interface (DeviceSetupManagementBanners and MessagesBanners), administrators received an Operation Failed error when attempting to use them.
Fixed an issue where a Panorama appliance running PAN-OS 8.1.2 was unable to connect to the Logging Service.
Fixed an issue where the default for newly added cloned security rules was Move Top, which placed the new rule at the top of the list. With this fix, the default is After Rule as it was in PAN-OS 8.0 and earlier releases.
Fixed an issue where Inbound inspection failed when a cipher was cleared from the TLS structure during session resumption.
Fixed an issue where new Vendor names for the HIP check were not included when Panorama pushed the configuration to firewalls.
Fixed an issue where a firewall in a high availability (HA) active/active virtual wire (vwire) configuration with SSL decryption enabled passed traffic through the wrong firewall.
Fixed a rare issue where the task manager failed to load in the web interface when a pending job caused subsequent completed jobs to be inappropriately held in memory.
Fixed an issue where the firewall incorrectly blocked SSL sessions subjected to Inbound decryption due to UnsupportedVersion when the Decryption rule referenced a decryption profile with Min - Max TLS Version, even though Block sessions with unsupported versions was disabled (ObjectsDecryptionDecryption Profile). With this fix, the firewall checks the TLS version that the server accepted and compares it with the decryption profile settings when evaluating whether to allow or bypass sessions based on Decryption rules.
Fixed an issue where the User-ID (useridd) process stopped responding due to an out-of-memory issue related to User-ID group mapping.
Fixed an issue on PA-850 firewalls where the session rematch option failed to execute when you added an IP address to the External Dynamic List (EDL) block list.
Fixed an intermittent issue where detecting an unreachable WF-500 node took longer than expected.
Fixed an issue where the GlobalProtect Clientless VPN and GlobalProtect Data options did not display as expected on Panorama (TemplateDeviceDynamic Updates).
Fixed an issue where an unreachable DNS server due to aggressive timers increased the time of PPPoE negotiation and, in some cases, caused negotiation to fail.
A security-related fix was made to address a Denial of Service (DoS) that existed in the PAN-OS management web interface and allowed an authenticated user to shut down all management sessions, which causes the firewall to redirect all logged-in users to the login page (CVE-2018-10140).
Fixed an issue where administrators were required to perform a commit force before pushing a partial or regular commit operation to managed appliances when the management server (mgmtsrvr) or configuration (configd) process encountered a virtual memory leak and restarted.
Fixed an issue where using the the XML API to retrieve Hit Count on a security rule returned an error message: Anerror occurred. See dagger.log for information.
Fixed an issue with an incorrect policy match because google-docs-base was incorrectly identified as SSL.
Fixed an issue in a non-vsys configuration where a firewall dropped the Client Hello packet from tunneled traffic when inbound decryption was enabled because the firewall considered that packet to be an inter-vsys inbound packet.
Fixed an issue where endpoints could not authenticate to a GlobalProtect portal or gateway through client certificate authentication due to an OCSP status of Unknown when the portal or the gateway used a Certificate profile that specified Online Certificate Status Protocol (OCSP) to validate certificates (NetworkGlobalProtectPortals<portal>Authentication).
Fixed an issue where PA-220 firewalls that were bootstrapped with a configuration that enabled jumbo frames did not change the packet buffer size as expected, which resulted in a dataplane restart.
Fixed a memory corruption error that caused the dataplane to restart when content decode length was zero.
Fixed an issue where the show routing protocol bgp rib-out CLI command did not display advertised routes that the firewall sent to the BGP peer. This issue was observed only in a deployment where a firewall is connected to a Border Gateway Protocol (BGP) peer that advertised a route for which the next hop is not in the same subnetwork as the BGP peer interface.
Fixed an issue where the GTP Protection profile name did not appear in the Global Find and Filter options in the Profile column of the security rule to which the GTP profile was attached.
Fixed an issue where Panorama virtual appliances converted from legacy mode to Panorama mode did not properly purge logs, which caused low disk space issues in /opt/panlogs partition.
Fixed an issue where the firewall did not properly identify the google-translate application.
Fixed an issue on PA-3200 Series firewalls where incorrect internal memory allocation reduced the number of simultaneous SSL decryption sessions that the firewall could support.
Fixed an issue where routing FIB entries that were learned from a BGP peer were not deleted when BGP Peering went down.
Fixed an issue where the Filter drop-down did not display properly when you keep the default Target for a Policy rule set to Any.
Fixed an issue where Q-in-Q-tagged packets passed through a firewall without inspection or session creation.
Fixed an issue where multicast FIB entries were inconsistent across dataplanes, which caused the firewall to intermittently drop multicast packets.
Fixed an issue where a firewall dropped SIP-RTP packets flowing through a GRE tunnel when a Tunnel Inspection Policy was configured with Security Options (Tunnel Inspection zones).
Fixed an issue where browsers failed to load custom response pages on decrypted websites when those pages were larger than 8,191 bytes. With this fix, the firewall supports decryption of custom response pages up to 17,999 bytes.
Fixed an issue where the parent device group in the hierarchy did not automatically acquire read-only access for a URL Profile as expected after you assigned write access to a child device group of that parent.
Fixed an issue where a certificate failed to load when the certificate public key exceeded the supported number of characters (2,048).
Fixed an issue where using the test nat-policy-match command from the XML API does not result in any matches when the matching policy is a destination NAT policy.
Fixed an issue where a firewall sent packets out of order when the sending rate was too high.
Fixed an issue where the SSL Certificate Error Notify page didn't display the <certname/><issuer/> variables in the SSL-cert-status-page.
Fixed an issue where VM-Series firewall bootstrapping failed when you transferred the bootstrap package using a base64 encoded user-data file.
Fixed an issue where TACACS+ authorization responded with Illegal packet version because a firewall was incorrectly sending minor version 1, which impacts TACACS+ servers and causes a failed authorization.
Fixed an where issue where non-local administrators using TACACS were unable to log in to the CLI.
Fixed an issue where imported custom applications did not display in Security Policies that were created through the web interface.
Fixed an issue on PA-220 firewalls where either a commit or an EDLRefresh job failed with the following error message: failed to handle CONFIG_UPDATE_START. This issue occurred after an increase in the number of type URL entries in an external dynamic list.
Fixed an issue where the dataplane restarted on a VM-Series firewall on KVM.
Fixed an issue where PA-5200 Series firewalls in a high availability (HA) active/active configuration experienced internal packet corruption that caused the firewalls to stop passing traffic when the active member of a cluster came back up as passive after being either suspended or rebooted (moving from tentative to passive state).
Fixed an issue where firewalls receiving IP addresses via DHCP failed to resolve FQDN objects to an IP address.
Fixed an issue where a 500Internal Server error occurred for traffic that matched a Security policy rule with a URL Filtering profile that specified a continue action (ObjectsSecurity ProfilesURL Filtering) because the firewall did not treat the API keys as binary strings.
Fixed an issue on PA-5000 Series firewalls where a process (all_pktproc) on the dataplane stopped responding if you enabled the send icmp unreachable Action Setting (Policies<rule>Actions).
Fixed an issue with firewalls in a high availability (HA) configuration where a an HA sync initiated from the active peer caused a race condition while processing the previous request.
Fixed an issue where an XML API call to execute the request system external-list show command did not escape the ampersand ( & ) character in the Source section of the XML output, which resulted in a parse error.
Fixed an issue on PA-800 Series, PA-3200 Series, and PA-5200 Series firewalls where tunnel-bound traffic was incorrectly routed through an ECMP route instead of a PBF route as expected.
Fixed an issue where the default static route was not present in the routing table after you removed the DHCP-provided default gateway when you configured a default static route and DHCP provided the same default route.
Fixed an issue where the firewall recorded GPRS Tunneling Protocol (GTP) packets multiple times in firewall-stage packet captures (pcaps).
Fixed an issue where deleting all FQDN objects that are no longer in use did not remove them from the FQDN refresh table, which caused firewalls to continue resolving these old objects per the schedule.
Fixed an issue where FTP traffic failed and hit an incorrect security policy due to missing predict sessions.
Fixed an issue on Log Collectors where the show log-collector serial-number <LC_serial_number> CLI command displayed log ages that exceeded log expiration periods.
Fixed an issue where a firewall failed to process packets if the previous session was cleared (either from the CLI or web interface), the client uses the same source port, and when the new session is installed on dataplane1 (dp1).
Fixed an issue where fragmented packets were dropped when traversing a firewall in an HA active/active configuration.
Fixed an issue when QoS was configured where the dataplane restarted due to a packet process failure.
Fixed an issue where a PA-800 Series firewall dropped UDP packets traversing port 0.
Fixed an issue where the dataplane stopped responding due to a failed packet buffer initialization after the firewall rebooted.
Fixed an issue where, when an administrator made and committed partial changes, the disabled address objects used in a disabled security policy were pushed from Panorama and retained on the firewall but were deleted when an administrator performed a full commit from Panorama.
Fixed an issue where a VM-Series firewall was unable to ping the gateway in a multiple virtual router configuration when interfaces received IP address through DHCP.
Fixed an issue on an M-100 appliance where logging stopped when a process (vldmgr) stopped responding.
Fixed an issue on firewalls with SSL decryption configured where the dataplane restarted because the all_pktproc process stopped responding after decryption errors occurred.
Fixed an issue where the password field did not display in the GlobalProtect portal login dialog if you attached the certificate profile to the portal configuration.
Fixed an issue where the Panorama task manager view on the web interface stopped responding after multiple appliances reported multiple errors and warnings in commit job details.
A security-related fix was made to address vulnerabilities related to some SAML implementations (CVE-2018-0486 and CVE-2018-0489). Refer to for details.
Fixed an issue on PA-200 firewalls where disk space usage was constantly running high and often reaching maximum capacity. With this fix, the PA-200 firewall purges logs more quickly and it no longer requires as much space for monitor daemons.
Fixed an issue where the firewall silently dropped the first packet of a session when that packet was received as a fragmented packet (typically with UDP traffic).
Fixed an issue where continuous renewal for a session that went into DISCARD state when the firewall reached its resource limit prevented the creation of new sessions that matched that DISCARD session.
Fixed an issue where the firewall applied the wrong checksum when a re-transmitted packet in a NAT session had different TCP flags, which caused the recipient to drop those packets.
Fixed an issue where the non-session-owner firewall in a high availability (HA) active/active configuration with asymmetric traffic flow dropped TCP traffic when TCP reassembly failed.
(VM-50 Lite firewalls only) Fixed an intermittent issue where the firewall reported wild-fire-authfailed due to ssl error 58 errors in the system log due to management plane out-of-memory errors when a process (varrcvr) attempted to register to the cloud.
Fixed an intermittent Panorama issue where, after upgrading to PAN-OS 8.0 or a later release and when connected to a WF-500 appliance, commit validations failed due to a mismatched threat ID range on the WildFire private cloud.
Fixed an issue where the firewall generated System logs with high severity for Dataplane undersevere load conditions that did not affect traffic. With this fix, the System logs have low severity for Dataplaneunder severe load conditions that do not affect traffic.
Fixed an issue in an NSX environment where the Panorama management server displayed an incorrect number of tags under Dynamic Address Groups when you configured a static tag in one or more address groups.
Fixed an issue where the firewall could not forward full information for a Protocol-Independent Multicast (PIM) group to a peer PIM router when the PIM bootstrap message was larger than the maximum transmission unit (MTU) of the firewall interface.
Fixed an intermittent issue where a race condition caused the Logging Service or WF-500 appliances to disconnect from or become unresponsive to firewalls or the Panorama management server.
Fixed an issue where the firewall was intermittently sending incorrect bytes-per-packet values for some flows to the NetFlow collector.
Fixed an issue where the Panorama Log Collectors did not receive some firewall logs and took longer than expected to receive all logs when a Collector Group had spaces in its name.
Fixed an issue during the software download process that prevented some firewalls and appliances from properly receiving these images.
Fixed an issue where Log Collectors that belonged to a collector group with a space in its name failed to fully connect to one another, which affected log visibility and logging performance.
Fixed an issue where GlobalProtect users could not access some websites decrypted by the firewall due to an issue with premature deletion of proxy sessions.
Fixed an issue where a certificate was loaded without a digital signature, which caused the configuration (configd) daemon to stop responding.
Fixed an issue where you couldn't unlock administrator accounts with expired passwords because the firewall didn't display a lock icon for their accounts in the Locked User column (DeviceAdministrators).
Fixed an issue where the predict session for the rmi-iiop application was not created correctly, which caused server-to-client initiated sessions to traverse slow-path inspection and, eventually, policy rules denied the traffic associated with these sessions.
Fixed an issue where, in a multiple virtual system (vsys) configuration on Panorama, you could not add a certificate defined in vsys to a certificate profile in the same vsys unless the vsys was defined using the default name.
Fixed an issue on PA-5000 Series firewalls where multicast traffic failed because PAN-OS did not remove stale sessions from the hardware session offload processor.
Fixed an issue on Panorama where the Last Commit State column (PanoramaManaged Devices) did not get updated after a Template-Only configuration push to firewalls.
Fixed an issue where the firewall unnecessarily sent an Authorize-only request to the RADIUS server which was denied during the login process if you disabled the Retrieve Framed-IP-Address attribute from authentication server (NetworkGlobalProtectGateways<gateway>AgentClient Settings<clients_configuration>IP Pools) in the GlobalProtect gateway configuration.
Fixed an intermittent issue where traffic stopped flowing through the IPSec tunnel in a hub-and-spoke multiple-vendor configuration.
Fixed an issue where an XML API call to execute the show system raid detail command returned an error.
Fixed an issue where the firewall was sending incorrect bytes-per-packet values to the NetFlow collector when two servers were configured in the same NetFlow profile.
Fixed an issue where a VM-Series firewall on KVM in MMAP mode didn't receive traffic after you enabled the i40e single-root input/output virtualization (SR-IOV) virtual function (VF).
Fixed an issue where some ICMP Type 4 traffic was not blocked as expected after you created a deny Security policy rule with custom App-ID for ICMP Type 4 traffic.
Fixed a rare issue on PA-7000 Series firewalls where 20GQ NPC QSFP+ ports didn't link up (during online insertion and removal (OIR), link-state change, or boot up events) and became unrecoverable until the NPC was restarted.
Fixed an issue where a firewall did not forward logs when using the category eq command-and-control filter.
Fixed an issue where the firewall dropped H.323 gatekeeper-assisted calls after failing to perform NAT translation of third-party addresses in H.323 messages.
Fixed an issue where the firewall rebooted into maintenance mode.
Fixed an issue on PA-5200 Series firewalls where an SFP+ (10Gbps) transceiver (PAN-SFP-PLUS-CU-5M) was incorrectly identified as an SFP (1Gbps) transceiver.
Fixed an issue where a Panorama virtual appliance in Legacy mode that was deployed in a high availability (HA) configuration did not receive logs forwarded from PA-7000 Series and PA-5200 Series firewalls.
Fixed an issue where the firewall displayed the following commit warning when you configured a GlobalProtect gateway with a Tunnel Interface set to the default tunnel interface (NetworkGlobalProtectGateways<gateway>General) even after you enabled IPv6: Warning: tunnel tunnel ipv6 is not enabled. IPv6 address will be ignored!
Fixed an issue where no results were returned for a Global Find request when using the short name domain\group format.
Fixed an intermittent issue with ZIP hardware offloading where firewalls identified ZIP files as threats when they were sent over Simple Mail Transfer Protocol (SMTP).
Fixed a rare intermittent issue on PA-800 Series, PA-2000 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls where the firewall unexpectedly rebooted due to memory page allocation failure, which generated a non-maskable interrupt (NMI) watchdog error on the serial console.
Fixed an issue where the firewall dropped IKE traffic when another IKE session was in the discard state on the firewall because the the new session matched the discard session. This issue persisted because the discard sessions remained on the firewall longer than expected because the firewall refreshed the discard-session timeout each time the 5-tuple on a new session matched the 5-tuple on the discard session.

Related Documentation