PAN-OS 8.1.4 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 8.1.4 Addressed Issues
PAN-OS® 8.1.4 addressed issues
Issue ID | Description |
---|---|
WF500-4739 | Fixed an issue where WF-500 appliances failed
to analyze Excel files because the files contained links and required
a manual response to a popup dialog about whether to update those
links before opening the file. |
WF500-4738 | Fixed an issue where the WF-500 appliance
factory reset failed. |
WF500-4737 | Fixed an issue on a WF-500 appliance where
in maintenance mode, network activity did not occur. |
WF500-4690 | Fixed an issue where the WF-500 appliance
reported incorrect memory utilization values through SNMP (hrStorageUsed). |
WF500-4664 | Fixed an issue where the WF-500 appliance
SNMP notifications did not provide information for the eth2 and
eth3 interfaces. |
WF500-4466 | Fixed an issue on WF-500 passive cluster
members where file forwarding was incorrectly disabled, which prevented
the passive firewall from uploading samples. |
WF500-4362 | Fixed an issue on WF-500 appliances that
caused a compliance scan to incorrectly report two vulnerabilities:
SSL Server Supports DES Ciphers (Sweet32 Exposure) and NGINX Log
Escape Sequence Injection Vulnerability. |
PAN-105724 | Fixed an issue where the firewall did not
generate a new random value in the TLS Server Hello message, which
breaks TLSv1.3 connections when SSL Forward Proxy decryption is
enabled. |
PAN-104920 | Fixed an issue where administrators were
not able to create a WF-500 cluster unless they first configured
an HA1 backup. |
PAN-104293 | Fixed a rare issue where PA-3200 Series
firewalls started dropping offloaded traffic. |
PAN-104131 | Fixed an issue with the Panorama Interconnect
plugin where Panorama Node child jobs were not displayed under Panorama
Controller Tasks (PanoramaInterconnectTasks)
as expected when you tried to Push Common Config (PanoramaInterconnectPanorama Nodes). |
PAN-104116 | Fixed an issue where a hardware packet buffer
leak caused firewall performance to degrade. |
PAN-103921 | Fixed an issue on a PA 3200 Series firewall
where the dataplane failed due to an internal path monitoring failure. |
PAN-103442 | Fixed an intermittent issue on a PA-3200
Series firewall where the forwarding information base (FIB) did
not update correctly, which prevented successful forwarding of offloaded
traffic. |
PAN-102943 | Fixed an Issue where a process (mgmtsrvr)
failed on EDL refresh when configured over a Secured Socket Layer
(SSL) connection. |
PAN-102750 | Fixed an issue on a PA-5000 Series firewall
where the dataplane restarts when multicast traffic matched a stale
session on the offload processor that was not cleared as expected. |
PAN-102664 | Fixed an issue where a process (rasmgr) restarted
when a satellite tunnel tear down command
and a get user config command occurred simultaneously. |
PAN-102631 | Fixed an issue where a process (rasmgr) restarted
multiple times, which caused the firewall to reboot. |
PAN-102168 | Fixed an issue where a PA-5200 Series firewall
processed the tunnel-monitoring with profile-failover as having
the tunnel status up and peers as down during initial configuration. |
PAN-102140 | Fixed an issue where Extended Authentication
(X-Auth) clients intermittently failed to establish an IPSec tunnel
to GlobalProtect™ gateways. |
PAN-101955 | Fixed an issue on an M-100 appliance in
a high availability (HA) configuration where administrators could
not reestablish access to the appliance after a session ended unexpectedly. |
PAN-101704 | Fixed an issue where a configured Layer
3 interface erroneously opened ports 28869/tcp and 28870/tcp on
the IP address assigned to that Layer 3 interface. |
PAN-101289 | Fixed an issue where simultaneous management
access allowed only one user to log in at a time. |
PAN-101182 | Fixed an issue where a system failure occurred
due to packet size exceeding the hardware limit. |
PAN-100985 | Fixed an issue with PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls where the firewall fails to clear cache for refreshing the FQDN list, which periodically results in an out of memory condition that forces the firewall to reboot. |
PAN-100794 | Fixed an issue where SNMP fan trays did
not initialize as expected and prevented the SNMP manager from receiving
fan tray information. |
PAN-100715 | Fixed an issue on VM-Series firewalls where
the dataplane stops processing traffic when attempting to transmit
packets larger than the firewall maximum transmission unit (MTU). |
PAN-100345 | (PA-200, PA-220, PA-220R, PA-500, and
PA-800 Series firewall only) Fixed an issue where a large number
of group mappings caused the firewall to display out-of-memory (OOM)
errors and restart. |
PAN-100031 | Fixed an issue where the content rewriter
module failed to properly handle simultaneous chunked and zipped
responses, and did not send end of response. |
PAN-99964 | Fixed an issue on an M-100 appliance where
a bulk set of commands timed out causing config locks and, while
running any subsequent show commands, responded with the following
message: Server error: Timed out while getting config lock. Please try again. |
PAN-99936 | Fixed an issue where access to Panorama™
accounts failed due to the removal of IPv4 address and exclusive
use of IPv6 on the management (MGT) port. |
PAN-99897 | Fixed an issue where a configuration change
commit was accepted when only one virtual wire (vwire) interface
was defined in a vwire pair. With this fix, a commit for a change
where only one vwire interface is defined for a vwire pair is rejected
and an error message is displayed. |
PAN-99830 | A security-related fix was made to address
a cross-site scripting (XSS) vulnerability in the GlobalProtect
Portal login page. |
PAN-99780 | Fixed an issue where the second virtual
system (vsys) dropped TCP traffic that was out-of-order when that
second vsys controlled the proxy session in a multi-vsys configuration. |
PAN-99590 | Fixed an issue where the firewall did not
return Captive Portal response pages as expected due to depletion
of file descriptors. |
PAN-99392 | Fixed an issue where RADIUS VSA administrators
were able to login for one hour after their VSA administrator role
was removed on the RADIUS server. |
PAN-99310 | Fixed an issue where the firewall attempted
to reconnect to the LDAP server when an empty Distinguished Name
(DN) returned for an invalid user. |
PAN-99260 | Fixed an issue where the firewall dataplane
restarted due to missing SIP parent information after an HA failover
event. |
PAN-99141 | Fixed an issue in an HA active/active virtual
wire configuration where a race condition caused the firewall to
intermittently drop First SYN packets when they traversed the HA3
link. |
PAN-99110 | Fixed an issue where a library (libpam_pan.so) did
not handle incorrect passwords as expected. |
PAN-99095 | Fixed an issue in Panorama where a commit failed message
appeared in the Template Last Commit column in the device management
summary after a Panorama reboot or upgrade. |
PAN-99060 | Fixed an issue where searching through pcaps
from a Log Collector in a configuration with multiple Log Collectors
took longer than expected. |
PAN-98976 | Fixed an intermittent issue where Captive
Portal multi-factor authentication (MFA) failed and discarded new
MFA requests. |
PAN-98949 | Fixed an issue on Panorama where generating
a threat pcap from the web interface (Monitor tab)
took longer than expected and caused the web interface and CLI to
become inaccessible. |
PAN-98885 | Fixed an issue where high elastic search
memory load caused the firewall not to display logs and reboot |
PAN-98694 | Fixed an issue on a PA-5200 Series firewall
in an HA active/passive configuration where the firewall dropped
TCP-FIN packets after a failover. |
PAN-98635 | Fixed an issue on the Panorama centralized
management server where the logs related to the clear-log system
were not forwarded to the Syslog server. |
PAN-98632 | Fixed an issue on VM-Series firewalls where
administrators could not log in to a firewall with an AMI image
created from a virtual machine (VM). |
PAN-98504 | A security-related fix was made to address
three OpenSSL vulnerabilities: CVE-2018-0732, CVE-2018-0737, and CVE-2018-0739. |
PAN-98479 | Fixed an issue where Panorama displayed
a File not found error when you attempted
to view or download Threat pcaps from the Monitor tab. |
PAN-98392 | Fixed an issue where the commit failed and
the device server log displayed the following message: failed to handle CONFIG_UPDATE_START. |
PAN-98320 | Fixed an issue where after you exit a process,
a fixed amount of memory did not release which caused memory leaks. |
PAN-98195 | Fixed an issue on a PA-220 firewall in an
HA active/passive configuration and with jumbo frames enabled (DeviceSetupSession) where
configuration and dynamic updates failed to synchronize. |
PAN-98189 | Fixed an issue where firewall overrides
configuration to not validate first ASN, resulting in multi-lateral
BGP connection flaps peering over an internet exchange. |
PAN-98101 | Fixed an issue where a log record in the
JSON query caused a process (reportd) to fail. |
PAN-97881 | Fixed an issue where an administrator with
the CLI Device Read privilege was able to discard a session that
was revoked. |
PAN-97832 | Fixed an issue on VM-Series firewalls where
the virtual machine (VM) information source made incorrect calls
in FIPS-CC mode. |
PAN-97831 | Fixed an issue where the set ssh service-restart mgmt CLI
command did not respond correctly. |
PAN-97572 | Fixed an issue in an HA active/passive configuration
where URL request messages were not prioritized from the dataplane
to the management plane and where a high rate of log generation
in the dataplane caused inconsistent URL categorization. |
PAN-97547 | Fixed an issue where the log in banner did
not display properly when configured to single long-line. |
PAN-97358 | Fixed an issue in an HA active/passive configuration
where an HA sync job executed while a commit all job was processing. |
PAN-97355 | Fixed an issue where the GlobalProtect connection
failed with the following dataplane ICMPv6 message: Packet too big due
to the firewall MTU value set lower than normal. |
PAN-97324 | Fixed an issue where values were missing
in the URL field in the Data Filtering logs. |
PAN-97315 | Fixed an issue on Panorama M-Series and
virtual appliances where the configuration (configd)
process stopped responding after you entered a filter string and
tried to Add Match Criteria for any Dynamic address group
type (ObjectsAddress
Groups). |
PAN-97296 | Fixed an issue where the Panorama web interface Group
Mapping Setting took longer to load than expected when
there were multiple device groups and each group reported to a different
master device. |
PAN-97253 | Fixed an issue where audio failed for long-lived
session initiated protocol (SIP) sessions subjected to six content
updates. |
PAN-97084 | Fixed a rare issue where the task manager
failed to load in the web interface when a pending job caused subsequent
completed jobs to be inappropriately held in memory. |
PAN-97077 | Fixed an issue on Panorama M-Series and
virtual appliances where the report-generation process stopped responding
due to a corrupt log record in the JSON query. |
PAN-96796 | Fixed an intermittent issue where session
BIND messages were dropped in a Dynamic IP configuration. |
PAN-96780 | Fixed an issue on a PA-3220 firewall where
the external dynamic list refresh and commit, failed after an increase
in the number of external dynamic list objects in the firewall. |
PAN-96678 | Fixed an issue on PA-800 Series firewalls
where the web interface did not display or allow you to configure
the bandwidth setting any higher than 1Gbps. |
PAN-96645 | Fixed an issue where generation of extraneous
data filtering logs for SMB protocol traffic occurred without data
filtering or file blocking securities rules in place. |
PAN-96579 | Fixed an issue where the Syslog server received
an incorrect vsys/port log message when multiple vsys systems, with
the same profile name and different port numbers, are connected
to a single syslog server. |
PAN-96565 | Fixed an issue where the DNS proxy process
failed due to a DNS response packet containing a TXT resource record
with length = 0. |
PAN-96477 | Fixed an issue where PA-5000 Series firewalls
did not send an IGMP query immediately after an HA failover. |
PAN-96461 | Fixed an issue where software deployment
from Panorama to a managed firewall failed. |
PAN-96431 | A security-related fix was made to prevent
HTTP Header Injection in the Captive Portal. |
PAN-96316 | Fixed an issue during a decrypted session
on an L3 Aggregate Ethernet (AE) interface, where an incorrectly
formatted threat packet capture (pcap) caused malformed packet captures
during an inspection. |
PAN-96231 | Fixed an issue where a commit took significantly
longer than expected when cloning a rule compared to when configuring
a new rule when the configuration contained a large number of rules. |
PAN-96183 | Fixed an issue on Panorama M-Series and
virtual appliances where logs failed to purge from the log-disks
when /opt/pancfg partition usage reached 100%. |
PAN-96109 | Fixed an issue where a Panorama appliance
returned the following error: mgmtsrvr: User restart reason - Virtual memory limit exceeded (8204808 > 8192000). |
PAN-95999 | Fixed an issue where firewalls in an HA
active/active configuration with a default session setup and owner
configuration dropped packets in a GlobalProtect VPN tunnel that
used a floating IP address. |
PAN-95958 | Fixed an issue where a PA-220 firewall did
not recognize the panDeviceLogging SNMP object identifier. |
PAN-95931 | Fixed an issue where some fields did not
populate the template when logs are forwarded to the HTTP Server. |
PAN-95902 | Fixed an issue where the header captions
you configured for PDF Summary Reports or for Custom Reports were
not used for the report name as expected. |
PAN-95815 | Fixed an issue where the firewall returns
an empty response for the API call show user ip-user-mapping. |
PAN-95765 | Fixed an issue on Panorama where Collector Groups and WildFire
Appliances and Clusters (CommitPush to DevicesEdit Selections)
that were already in sync with the current configuration were incorrectly
selected and, thus, included when you attempted to push a configuration
only to appliances that were not in sync. |
PAN-95698 | Fixed an issue where the firewall revealed
part of a password in cleartext on the command-line interface (CLI)
and management server (mgmtsrvr) log when an administrator
attempted to set a password that exceeded the maximum number of
characters (31) using the CLI. With this fix, the firewall reports
an error when an administrator attempts to set a password that contains
more than 31 characters without revealing any part of the actual
password. |
PAN-95438 | Fixed an issue where Panorama M-Series and
virtual appliances did not resolve the FQDN list because a bootstrap
setting (cfg.product.bootstrap) was set to factory_reset. |
PAN-95407 | Fixed an issue where an API call resulted
in an incorrect response. |
PAN-95331 | Fixed an issue where a temporary flap on
configured Aggregate Ethernet (AE) interfaces cleared the dataplane
debug logs. |
PAN-95265 | Fixed an issue on a PA-220 firewall where
exporting the device state from Panorama command-line interface
(CLI) included the default bidirectional forwarding detection (BFD)
configuration, which caused a commit to fail on the firewall when
uploading the device state. |
PAN-95200 | Fixed an issue on an M-100 appliance where
reports did not generate in user groups. |
PAN-95119 | Fixed an issue where TCP segments with large
sequence numbers caused the dataplane to fail while large file sizes
are transferred. |
PAN-95054 | Fixed an issue where temporary files not
properly cleaned caused disk space issues. |
PAN-95045 | Fixed an issue where the syslog messages
that terminated with 0 prevented the firewall from identifying matching
patterns in the message. |
PAN-94559 | Fixed an issue on an M-500 appliance where
a bootstrapped firewall automatically added to Panorama did not
commit the changes. |
PAN-94385 | Fixed an issue on Log Collectors where the show log-collector serial-number <LC_serial_number> CLI command
displayed log ages that exceeded log expiration periods. |
PAN-94236 | Fixed an issue where files failed to upload
to the WildFire cloud when file-forwarding queue limit was reached
on the dataplane. When this occurred, the WildFire upload log included
the file with a status of offset mismatch. |
PAN-93847 | Fixed an issue where a null-pointer exception
caused the device server (devsrv) process on the management
plane to restart. |
PAN-93127 | Fixed an intermittent issue where NAT traffic
was dropped when NAT parameters were introduced or changed in the
path between the LSVPN GlobalProtect gateway and the GlobalProtect
satellite. To leverage this fix in your network, you must also enable
Tunnel Monitoring on the GlobalProtect Gateway (NetworkGlobalProtectGateways<gp-gateway>SatelliteTunnel Settings). |
PAN-92955 | Fixed an issue on PA-5200 Series firewalls
in an HA active/active configuration where session timeouts occurred
when TCP timers did not update as expected for asymmetric flows. |
PAN-92596 | Fixed an issue where the output of the show neighbor ndp-monitor all command-line
interface (CLI) command was missing a space between the Interface
and IPv6 address columns, which decreased readability. |
PAN-92334 | Fixed an issue where the process (cord)
stopped responding when trying to forward correlation events if
there was no log forwarding profile configured for correlated events. |
PAN-91874 | Fixed an issue where the log receiver failed
due to the logging certificate server name indication (SNI) value. |
PAN-91835 | Fixed an issue where PA-7000 Series firewalls
did not send logs to Panorama. |
PAN-91715 | (PA-3200 Series, PA-5200 Series, and
PA-7000 Series firewalls only) Fixed an issue where the destination
interface configured for a QoS profile rule did not match traffic
as expected. |
PAN-90967 | Fixed an intermittent issue where the Bidirectional
Forwarding Detection (BFD) up time displayed negative values. |
PAN-89849 | Fixed an issue where the antivirus/anti-spyware
block page did not display. |
PAN-89402 | Fixed an issue on PA-3200 Series firewalls
where Ethernet ports 2, 3, 4, 6, 7, 8, and 10 were functioning only
at 1,000Mbps (1Gbps). |
PAN-87867 | Fixed an issue on an M-100 appliance where,
when the interface and snapshot length (snaplen) options were enabled,
the tcpdump command failed to execute with
the following message: Unsupported number of arguments. |
PAN-86759 | Fixed an issue where the URL session information
WildFire® report displayed Unknown for
sample files uploaded from firewalls running a PAN-OS 8.0 release. |
PAN-84199 | Fixed an issue where, after you disabled
the Skip Auth on IKE Rekey option in the
GlobalProtect gateway, the firewall still applied the option: end
users with endpoints that used Extended Authentication (X-Auth)
did not have to re-authenticate when the key for establishing the
IPSec tunnel expired (NetworkGlobalProtectGateways<gateway>AgentTunnel Settings). |
PAN-83946 | Fixed an issue where the default QoS profile
limited the available bandwidth to 10Gbps when you specifically
applied the profile to the ae2 interface; this issue occurred regardless
of the bandwidth setting you configured specifically for that profile. |
PAN-82987 | Fixed an issue where the Panorama web interface
intermittently became unresponsive during ACC queries. |
PAN-81553 | Fixed an issue where the M-100 appliance
used the default value of 1,000 because the maximum number of user
groups was not defined in the system configuration. |