PAN-OS 8.1.4 Addressed Issues

PAN-OS® 8.1.4 addressed issues
Issue ID
Description
WF500-4739
Fixed an issue where WF-500 appliances failed to analyze Excel files because the files contained links and required a manual response to a popup dialog about whether to update those links before opening the file.
WF500-4738
Fixed an issue where the WF-500 appliance factory reset failed.
WF500-4737
Fixed an issue on a WF-500 appliance where in maintenance mode, network activity did not occur.
WF500-4690
Fixed an issue where the WF-500 appliance reported incorrect memory utilization values through SNMP (
hrStorageUsed
).
WF500-4664
Fixed an issue where the WF-500 appliance SNMP notifications did not provide information for the eth2 and eth3 interfaces.
WF500-4466
Fixed an issue on WF-500 passive cluster members where file forwarding was incorrectly disabled, which prevented the passive firewall from uploading samples.
WF500-4362
Fixed an issue on WF-500 appliances that caused a compliance scan to incorrectly report two vulnerabilities: SSL Server Supports DES Ciphers (Sweet32 Exposure) and NGINX Log Escape Sequence Injection Vulnerability.
PAN-105724
Fixed an issue where the firewall did not generate a new random value in the TLS Server Hello message, which breaks TLSv1.3 connections when SSL Forward Proxy decryption is enabled.
PAN-104920
Fixed an issue where administrators were not able to create a WF-500 cluster unless they first configured an HA1 backup.
PAN-104293
Fixed a rare issue where PA-3200 Series firewalls started dropping offloaded traffic.
PAN-104131
Fixed an issue with the Panorama Interconnect plugin where Panorama Node child jobs were not displayed under Panorama Controller Tasks (
Panorama
Interconnect
Tasks
) as expected when you tried to
Push Common Config
(
Panorama
Interconnect
Panorama Nodes
).
PAN-104116
Fixed an issue where a hardware packet buffer leak caused firewall performance to degrade.
PAN-103921
Fixed an issue on a PA 3200 Series firewall where the dataplane failed due to an internal path monitoring failure.
PAN-103442
Fixed an intermittent issue on a PA-3200 Series firewall where the forwarding information base (FIB) did not update correctly, which prevented successful forwarding of offloaded traffic.
PAN-102943
Fixed an Issue where a process (
mgmtsrvr
) failed on EDL refresh when configured over a Secured Socket Layer (SSL) connection.
PAN-102750
Fixed an issue on a PA-5000 Series firewall where the dataplane restarts when multicast traffic matched a stale session on the offload processor that was not cleared as expected.
PAN-102664
Fixed an issue where a process (
rasmgr
) restarted when a
satellite tunnel tear down
command and a
get user config
command occurred simultaneously.
PAN-102631
Fixed an issue where a process (
rasmgr
) restarted multiple times, which caused the firewall to reboot.
PAN-102168
Fixed an issue where a PA-5200 Series firewall processed the tunnel-monitoring with profile-failover as having the tunnel status up and peers as down during initial configuration.
PAN-102140
Fixed an issue where Extended Authentication (X-Auth) clients intermittently failed to establish an IPSec tunnel to GlobalProtect™ gateways.
PAN-101955
Fixed an issue on an M-100 appliance in a high availability (HA) configuration where administrators could not reestablish access to the appliance after a session ended unexpectedly.
PAN-101704
Fixed an issue where a configured Layer 3 interface erroneously opened ports 28869/tcp and 28870/tcp on the IP address assigned to that Layer 3 interface.
PAN-101289
Fixed an issue where simultaneous management access allowed only one user to log in at a time.
PAN-101182
Fixed an issue where a system failure occurred due to packet size exceeding the hardware limit.
PAN-100985
Fixed an issue with PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls where the firewall fails to clear cache for refreshing the FQDN list, which periodically results in an out of memory condition that forces the firewall to reboot.
PAN-100794
Fixed an issue where SNMP fan trays did not initialize as expected and prevented the SNMP manager from receiving fan tray information.
PAN-100715
Fixed an issue on VM-Series firewalls where the dataplane stops processing traffic when attempting to transmit packets larger than the firewall maximum transmission unit (MTU).
PAN-100345
(
PA-200, PA-220, PA-220R, PA-500, and PA-800 Series firewall only
) Fixed an issue where a large number of group mappings caused the firewall to display out-of-memory (OOM) errors and restart.
PAN-100031
Fixed an issue where the content rewriter module failed to properly handle simultaneous chunked and zipped responses, and did not send end of response.
PAN-99964
Fixed an issue on an M-100 appliance where a bulk set of commands timed out causing config locks and, while running any subsequent show commands, responded with the following message:
Server error: Timed out while getting config lock. Please try again.
PAN-99936
Fixed an issue where access to Panorama™ accounts failed due to the removal of IPv4 address and exclusive use of IPv6 on the management (MGT) port.
PAN-99897
Fixed an issue where a configuration change commit was accepted when only one virtual wire (vwire) interface was defined in a vwire pair. With this fix, a commit for a change where only one vwire interface is defined for a vwire pair is rejected and an error message is displayed.
PAN-99830
A security-related fix was made to address a cross-site scripting (XSS) vulnerability in the GlobalProtect Portal login page.
PAN-99780
Fixed an issue where the second virtual system (vsys) dropped TCP traffic that was out-of-order when that second vsys controlled the proxy session in a multi-vsys configuration.
PAN-99590
Fixed an issue where the firewall did not return Captive Portal response pages as expected due to depletion of file descriptors.
PAN-99392
Fixed an issue where RADIUS VSA administrators were able to login for one hour after their VSA administrator role was removed on the RADIUS server.
PAN-99310
Fixed an issue where the firewall attempted to reconnect to the LDAP server when an empty Distinguished Name (DN) returned for an invalid user.
PAN-99260
Fixed an issue where the firewall dataplane restarted due to missing SIP parent information after an HA failover event.
PAN-99141
Fixed an issue in an HA active/active virtual wire configuration where a race condition caused the firewall to intermittently drop First SYN packets when they traversed the HA3 link.
PAN-99110
Fixed an issue where a library (
libpam_pan.so
) did not handle incorrect passwords as expected.
PAN-99095
Fixed an issue in Panorama where a
commit failed
message appeared in the Template Last Commit column in the device management summary after a Panorama reboot or upgrade.
PAN-99060
Fixed an issue where searching through pcaps from a Log Collector in a configuration with multiple Log Collectors took longer than expected.
PAN-98976
Fixed an intermittent issue where Captive Portal multi-factor authentication (MFA) failed and discarded new MFA requests.
PAN-98949
Fixed an issue on Panorama where generating a threat pcap from the web interface (
Monitor
tab) took longer than expected and caused the web interface and CLI to become inaccessible.
PAN-98885
Fixed an issue where high elastic search memory load caused the firewall not to display logs and reboot
PAN-98694
Fixed an issue on a PA-5200 Series firewall in an HA active/passive configuration where the firewall dropped TCP-FIN packets after a failover.
PAN-98635
Fixed an issue on the Panorama centralized management server where the logs related to the clear-log system were not forwarded to the Syslog server.
PAN-98632
Fixed an issue on VM-Series firewalls where administrators could not log in to a firewall with an AMI image created from a virtual machine (VM).
PAN-98504
A security-related fix was made to address three OpenSSL vulnerabilities: CVE-2018-0732, CVE-2018-0737, and CVE-2018-0739.
PAN-98479
Fixed an issue where Panorama displayed a
File not found
error when you attempted to view or download Threat pcaps from the
Monitor
tab.
PAN-98392
Fixed an issue where the commit failed and the device server log displayed the following message:
failed to handle CONFIG_UPDATE_START.
PAN-98320
Fixed an issue where after you exit a process, a fixed amount of memory did not release which caused memory leaks.
PAN-98195
Fixed an issue on a PA-220 firewall in an HA active/passive configuration and with jumbo frames enabled (
Device
Setup
Session
) where configuration and dynamic updates failed to synchronize.
PAN-98189
Fixed an issue where firewall overrides configuration to not validate first ASN, resulting in multi-lateral BGP connection flaps peering over an internet exchange.
PAN-98101
Fixed an issue where a log record in the JSON query caused a process (
reportd
) to fail.
PAN-97881
Fixed an issue where an administrator with the CLI Device Read privilege was able to discard a session that was revoked.
PAN-97832
Fixed an issue on VM-Series firewalls where the virtual machine (VM) information source made incorrect calls in FIPS-CC mode.
PAN-97831
Fixed an issue where the
set ssh service-restart mgmt
CLI command did not respond correctly.
PAN-97572
Fixed an issue in an HA active/passive configuration where URL request messages were not prioritized from the dataplane to the management plane and where a high rate of log generation in the dataplane caused inconsistent URL categorization.
PAN-97547
Fixed an issue where the log in banner did not display properly when configured to single long-line.
PAN-97358
Fixed an issue in an HA active/passive configuration where an HA sync job executed while a commit all job was processing.
PAN-97355
Fixed an issue where the GlobalProtect connection failed with the following dataplane ICMPv6 message:
Packet too big
due to the firewall MTU value set lower than normal.
PAN-97324
Fixed an issue where values were missing in the URL field in the Data Filtering logs.
PAN-97315
Fixed an issue on Panorama M-Series and virtual appliances where the configuration (
configd
) process stopped responding after you entered a filter string and tried to
Add Match Criteria
for any
Dynamic
address group type (
Objects
Address Groups
).
PAN-97296
Fixed an issue where the Panorama web interface
Group Mapping Setting
took longer to load than expected when there were multiple device groups and each group reported to a different master device.
PAN-97253
Fixed an issue where audio failed for long-lived session initiated protocol (SIP) sessions subjected to six content updates.
PAN-97084
Fixed a rare issue where the task manager failed to load in the web interface when a pending job caused subsequent completed jobs to be inappropriately held in memory.
PAN-97077
Fixed an issue on Panorama M-Series and virtual appliances where the report-generation process stopped responding due to a corrupt log record in the JSON query.
PAN-96796
Fixed an intermittent issue where session BIND messages were dropped in a Dynamic IP configuration.
PAN-96780
Fixed an issue on a PA-3220 firewall where the external dynamic list refresh and commit, failed after an increase in the number of external dynamic list objects in the firewall.
PAN-96678
Fixed an issue on PA-800 Series firewalls where the web interface did not display or allow you to configure the bandwidth setting any higher than 1Gbps.
PAN-96645
Fixed an issue where generation of extraneous data filtering logs for SMB protocol traffic occurred without data filtering or file blocking securities rules in place.
PAN-96579
Fixed an issue where the Syslog server received an incorrect vsys/port log message when multiple vsys systems, with the same profile name and different port numbers, are connected to a single syslog server.
PAN-96565
Fixed an issue where the DNS proxy process failed due to a DNS response packet containing a TXT resource record with length = 0.
PAN-96477
Fixed an issue where PA-5000 Series firewalls did not send an IGMP query immediately after an HA failover.
PAN-96461
Fixed an issue where software deployment from Panorama to a managed firewall failed.
PAN-96431
A security-related fix was made to prevent HTTP Header Injection in the Captive Portal.
PAN-96316
Fixed an issue during a decrypted session on an L3 Aggregate Ethernet (AE) interface, where an incorrectly formatted threat packet capture (pcap) caused malformed packet captures during an inspection.
PAN-96231
Fixed an issue where a commit took significantly longer than expected when cloning a rule compared to when configuring a new rule when the configuration contained a large number of rules.
PAN-96183
Fixed an issue on Panorama M-Series and virtual appliances where logs failed to purge from the log-disks when
/opt/pancfg
partition usage reached 100%.
PAN-96109
Fixed an issue where a Panorama appliance returned the following error:
mgmtsrvr: User restart reason - Virtual memory limit exceeded (8204808 > 8192000).
PAN-95999
Fixed an issue where firewalls in an HA active/active configuration with a default session setup and owner configuration dropped packets in a GlobalProtect VPN tunnel that used a floating IP address.
PAN-95970
Fixed an issue on a PA-500 firewall where the dataplane tunnel content pointer entered a NULL state and caused dataplane processes (
pan_comm
and
tund
) to stop responding, which caused the dataplane to restart.
PAN-95958
Fixed an issue where a PA-220 firewall did not recognize the
panDeviceLogging SNMP
object identifier.
PAN-95931
Fixed an issue where some fields did not populate the template when logs are forwarded to the HTTP Server.
PAN-95902
Fixed an issue where the header captions you configured for PDF Summary Reports or for Custom Reports were not used for the report name as expected.
PAN-95815
Fixed an issue where the firewall returns an empty response for the API call
show user ip-user-mapping
.
PAN-95765
Fixed an issue on Panorama where
Collector Groups
and
WildFire Appliances and Clusters
(
Commit
Push to Devices
Edit Selections
) that were already in sync with the current configuration were incorrectly selected and, thus, included when you attempted to push a configuration only to appliances that were not in sync.
PAN-95698
Fixed an issue where the firewall revealed part of a password in cleartext on the command-line interface (CLI) and management server (
mgmtsrvr
) log when an administrator attempted to set a password that exceeded the maximum number of characters (31) using the CLI. With this fix, the firewall reports an error when an administrator attempts to set a password that contains more than 31 characters without revealing any part of the actual password.
PAN-95438
Fixed an issue where Panorama M-Series and virtual appliances did not resolve the FQDN list because a bootstrap setting (cfg.product.bootstrap) was set to
factory_reset
.
PAN-95407
Fixed an issue where an API call resulted in an incorrect response.
PAN-95331
Fixed an issue where a temporary flap on configured Aggregate Ethernet (AE) interfaces cleared the dataplane debug logs.
PAN-95265
Fixed an issue on a PA-220 firewall where exporting the device state from Panorama command-line interface (CLI) included the default bidirectional forwarding detection (BFD) configuration, which caused a commit to fail on the firewall when uploading the device state.
PAN-95200
Fixed an issue on an M-100 appliance where reports did not generate in user groups.
PAN-95119
Fixed an issue where TCP segments with large sequence numbers caused the dataplane to fail while large file sizes are transferred.
PAN-95054
Fixed an issue where temporary files not properly cleaned caused disk space issues.
PAN-95045
Fixed an issue where the syslog messages that terminated with 0 prevented the firewall from identifying matching patterns in the message.
PAN-94559
Fixed an issue on an M-500 appliance where a bootstrapped firewall automatically added to Panorama did not commit the changes.
PAN-94385
Fixed an issue on Log Collectors where the
show log-collector serial-number <LC_serial_number>
CLI command displayed log ages that exceeded log expiration periods.
PAN-94236
Fixed an issue where files failed to upload to the WildFire cloud when file-forwarding queue limit was reached on the dataplane. When this occurred, the WildFire upload log included the file with a status of
offset mismatch
.
PAN-93847
Fixed an issue where a null-pointer exception caused the device server (
devsrv
) process on the management plane to restart.
PAN-93127
Fixed an intermittent issue where NAT traffic was dropped when NAT parameters were introduced or changed in the path between the LSVPN GlobalProtect gateway and the GlobalProtect satellite. To leverage this fix in your network, you must also enable Tunnel Monitoring on the GlobalProtect Gateway (
Network
GlobalProtect
Gateways
<gp-gateway>
Satellite
Tunnel Settings
).
PAN-92955
Fixed an issue on PA-5200 Series firewalls in an HA active/active configuration where session timeouts occurred when TCP timers did not update as expected for asymmetric flows.
PAN-92596
Fixed an issue where the output of the
show neighbor ndp-monitor all
command-line interface (CLI) command was missing a space between the Interface and IPv6 address columns, which decreased readability.
PAN-92334
Fixed an issue where the process (
cord
) stopped responding when trying to forward correlation events if there was no log forwarding profile configured for correlated events.
PAN-91874
Fixed an issue where the log receiver failed due to the logging certificate server name indication (SNI) value.
PAN-91835
Fixed an issue where PA-7000 Series firewalls did not send logs to Panorama.
PAN-91715
(
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only
) Fixed an issue where the destination interface configured for a QoS profile rule did not match traffic as expected.
PAN-90967
Fixed an intermittent issue where the Bidirectional Forwarding Detection (BFD) up time displayed negative values.
PAN-89849
Fixed an issue where the antivirus/anti-spyware block page did not display.
PAN-89402
Fixed an issue on PA-3200 Series firewalls where Ethernet ports 2, 3, 4, 6, 7, 8, and 10 were functioning only at 1,000Mbps (1Gbps).
PAN-87867
Fixed an issue on an M-100 appliance where, when the interface and snapshot length (snaplen) options were enabled, the
tcpdump
command failed to execute with the following message:
Unsupported number of arguments.
PAN-86759
Fixed an issue where the URL session information WildFire® report displayed
Unknown
for sample files uploaded from firewalls running a PAN-OS 8.0 release.
PAN-84199
Fixed an issue where, after you disabled the
Skip Auth on IKE Rekey
option in the GlobalProtect gateway, the firewall still applied the option: end users with endpoints that used Extended Authentication (X-Auth) did not have to re-authenticate when the key for establishing the IPSec tunnel expired (
Network
GlobalProtect
Gateways
<gateway>
Agent
Tunnel Settings
).
PAN-83946
Fixed an issue where the default QoS profile limited the available bandwidth to 10Gbps when you specifically applied the profile to the ae2 interface; this issue occurred regardless of the bandwidth setting you configured specifically for that profile.
PAN-82987
Fixed an issue where the Panorama web interface intermittently became unresponsive during ACC queries.
PAN-81553
Fixed an issue where the M-100 appliance used the default value of 1,000 because the maximum number of user groups was not defined in the system configuration.

Recommended For You