PAN-OS 8.1.6 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 8.1.6 Addressed Issues
PAN-OS® 8.1.6 addressed issues
Issue ID | Description |
---|---|
WF500-4901 | Fixed an issue where files sent by Traps™
to WildFire® were referenced for trusted signers in the incorrect
database, which resulted in a malicious file verdict and caused
conflicting post detection events. |
WF500-4893 | (RADIUS server profile configurations
only) Fixed an issue where the RADIUS authentication protocol
was incorrectly changed to CHAP authentication when you pushed a
commit from a Panorama™ appliance running a PAN-OS® 8.1 release
to a WF-500 appliance running a PAN-OS 8.0 release. |
WF500-4869 | Fixed an issue on a WF-500 appliance where
the sample analysis failed when using FIPS-CC mode. |
WF500-4815 | Fixed an intermittent issue on WF-500 appliances
where the Redis command line interface (CLI) failed to execute during
master node re-balancing. |
WF500-4747 | Fixed an issue on a WF-500 appliance where
the Panorama™ management server ran unrelated Logging Service threads. |
WF500-4636 | (WF-500 Appliances only) Fixed
a rare issue that occurred after upgrading from a PAN-OS 8.0 release
to a PAN-OS 8.1 release where the disk partition became full due
to the amount of data on the drive and, when you tried to delete
the backup database to free up space, the debug wildfire reset backup-database-for-old-samples CLI
command failed and resulted in the following error: Server error : Client wf_devsrvr not ready. |
PAN-111305 | Fixed an issue where you were unable to
reference certificate profiles from the External Dynamic Lists (ObjectsExternal Dynamic ListsAddCreate List)
but instead, you had to type in the certificate profile. |
PAN-110448 | Fixed an issue on PA-3200 Series firewalls
where the dataplane took longer than expected to respond or intermittently
stopped responding after a firewall reboot. |
PAN-109594 | Fixed an issue where the dataplane restarted
when an IPsec rekey event occurred and caused a tunnel process (tund) failure
when one--but not both--HA peer is running PAN-OS 8.0.14 or PAN-OS
8.1.5. |
PAN-109124 | A security-related fix was made to address
an issue where you were unable to retrieve GlobalProtect™ cloud
service threat packet captures from the Logging Service on Panorama
M-Series and virtual appliances. |
PAN-108785 | Fixed an intermittent issue on a firewall
in an HA active/passive configuration where a ping test stopped
responding on Ethernet 1/1, 1/2, and 1/4 due to input errors on
the corresponding switch port after an HA failover. |
PAN-108241 | Fixed an issue on a PA-3200 Series firewall
where multiple dataplane processes (all_pktproc, flow_mgmt,
flow_ctrl, and pktlog_forwarding) stopped responding when
overloaded with traffic. |
PAN-108165 | Fixed memory issues on Palo Alto Networks
hardware and virtual appliances that caused intermittent management
plane instability. |
PAN-108161 | Fixed an issue on an HA active/passive configuration
where GTP sessions did not properly sync to the passive firewall,
which caused a failure on the passive firewall during a failover. |
PAN-107895 | Fixed an issue where PDP Delete Response
packet did not match the GTPv1-C tunnel session, which caused the
generated GTP log to display incorrect session data. |
PAN-107893 | Fixed an issue where a Delete
PDP Context Response (MonitorLogsGTP)
did not correlate with a Delete PDP Context Request and
appeared as a new session. |
PAN-107790 | Fixed an issue where Application incorrectly
displayed as unknown-udp instead of gtp-c for
the GTPv1-C tunnel management message GTP
Event Type. |
PAN-107694 | Fixed an issue on Panorama M-Series and
virtual appliances where after you selected Allow with
Ticket (NetworksGlobalProtectPortals <Portal-Name>App) the web interface Generate
Ticket did not display. |
PAN-107290 | Fixed an issue where a single API call failed
to locate a Device Group node and create a device node for the Device
Group when necessary. |
PAN-107262 | A security-related fix was made to prevent
cross-site scripting (XSS) attacks through the PAN-OS Management
Web Interface (CVE-2019-1566). |
PAN-106947 | Fixed an intermittent issue where a large
number of out-of-order TCP packets caused packet buffer depletion. |
PAN-106776 | A security-related fix was made to prevent
a cross-site scripting (XSS) vulnerability in PAN-OS External Dynamic
Lists (CVE-2019-1565). |
PAN-106759 | Fixed an issue in an HA active/passive configuration
where a process (configd) restarted due to a memory error. |
PAN-106253 | Fixed an issue where the GTP Message Type Modify Bearer
Response and GTP Event Code 124223 were
denied due to failed stateful inspections. |
PAN-106251 | Fixed an issue where the list of Panorama
Managed Devices did not display (PanoramaDeviceDeploymentLicenses). |
PAN-105928 | Fixed an issue on a firewall where server
side data packets dropped after a terminated challenge ACK session
was reused. |
PAN-105759 | Fixed an issue on PA-3200 Series and PA-5200
Series firewalls in an HA active/active configuration where the
SNMP notification did not report the HA interfaces. |
PAN-105570 | (PA-3200 Series, PA-5200 Series, and
PA-7000 Series firewalls only) Fixed an issue where the QoS
profile rule did not match non-offloaded traffic as expected. |
PAN-105567 | Fixed an intermittent issue on Panorama
M-Series and virtual appliances where a cloned security or NAT policy
used the incorrect Rule order. |
PAN-105348 | Fixed an issue on Panorama M-Series and
virtual appliances where Dynamic Updates (DeviceDynamic Updates) did not allow
local overrides on an existing template. |
PAN-105281 | (PAN-OS 8.1.6 and later) Fixed
an issue where a SAML based GlobalProtect re-authentication portal
displayed an authentication error after you have previously logged
in. |
PAN-105157 | Fixed an intermittent issue on Panaoram
M-Series and virtual appliances where logs did not display due to
a file descriptor limit by the process (Elasticsearch). |
PAN-105103 | Fixed an intermittent issue where GTP logs
did not display due to GTP packets with an APN > 14 bytes caused
the traffic log to reach the limit and stopped generating logs. |
PAN-105012 | Fixed an issue on Panorama M-Series and
virtual appliances where a log migration from an old-disk pair to
a new-disk pair failed with the following error message: Error restoring disks from RMAed device,
which caused the (configd) process to fail. |
PAN-104463 | Fixed an intermittent issue where the DNS
resolution stopped responding when the firewall acted as a DNS proxy
and the DNS request volume was higher than expected. |
PAN-104361 | Fixed an issue on a firewall in an HA active/passive
configuration where a process (all_task) failed due
to a (bad_gtp_header) code on the passive firewall after
upgrading from PAN-OS 8.0.12. |
PAN-104300 | Fixed an issue on a firewall where a process (mprelay)
stopped responding while the (> debug dataplane internal pdt)
command was processed. |
PAN-104165 | Fixed an issue on a VM-Series firewall configured
to use the i40e single-root input/output virtualization (SR-IOV)
virtual function (VF) with VLAN tagging dropped Ethernet frames
exceeding 1496 bytes. |
PAN-104077 | Fixed an intermittent issue where User-ID™
stopped responding, which caused the user IP mapping to not display. |
PAN-104042 | Fixed an issue where directly connected
IPv4 routes do not display in the routing table after the firewall
was restarted. |
PAN-104041 | Fixed an issue where the web interface management
session failed to time out as expected when you set the Idle Timeout (DeviceSetupManagementAuthentication SettingsEdit)
to more than five minutes. |
PAN-103665 | Fixed an issue on an HA active/active configuration
where the active primary LLDP profile could not be copied to the
active secondary firewall. |
PAN-103224 | Fixed an issue on a VM-Series firewall where
the initialization buffer caused the firewall to stop responding
when five or more interfaces were active. |
PAN-102954 | A security-related fix was made to address
a code parameter in the clientless VPN portal. |
PAN-102625 | Fixed an issue on a firewall where traffic
stopped passing due to higher than normal duplicate TCP ACK packets
sent from the client side, which caused a spike in packet buffers
and packet descriptor usage. |
PAN-102338 | Fixed an issue where you were unable to
configure Maximum Egress (NetworkQoS)
to 10000 Mbps on a 10000 Mbps port. |
PAN-101990 | Fixed an issue on Panorama M-Series and
virtual appliances in an HA active/passive configuration where you
were unable to edit the template variables (PanoramaSummary). |
PAN-101973 | Fixed an issue where you were unable to
configure IPv6 variables (NetworkVirtual RoutersAddStaticRoutesIPv6). |
PAN-101882 | Fixed an issue on Panorama M-Series and
virtual appliances where a partial Commit and Push for one or more
administrators incorrectly sets the Push scope to all relevant firewalls
as if a full Commit and Push was performed. |
PAN-101851 | Fixed an intermittent issue on PAN-OS 8.1.3
and later releases, where downloading files from email services
were allowed when the file blocking profile was configured to block
email service file downloads. |
PAN-101800 | Fixed an issue where the parent session
stopped responding during a file transfer using a decryption enabled
FTP server with the following error message: Lost connection. |
PAN-101692 | Fixed an issue where the (show session all filter nat-rule)
command did not respond with destination NAT rules. |
PAN-101684 | Fixed an issue on Panorama M-Series and
virtual appliances where adding a threat exception for a child Device
Group caused existing rules to be removed from the Global Device
Group. |
PAN-101614 | Fixed an issue on a firewall where SSL/TLS
Service Profile (DeviceSSL/TLS
Service Profile) values failed to change
after an override. |
PAN-101607 | Fixed an issue where template administrators
with the required permission made configuration changes on shared
objects and the Commit failed with the following error message: No pending change to commit. |
PAN-101401 | Fixed an issue where a DNS App-ID™ security
policy allowed non-DNS traffic to flow through. |
PAN-101202 | Fixed an issue on a firewall where the TFC
padding parameter was set to null when negotiating
with a peer device capable of TFC padding during IKEv2 negotiations. |
PAN-101185 | Fixed an issue on Panorama M-Series and
virtual appliances where the Decrypt Mirror (NetworkInterfacesEthernetInterface Type) template setting
did not Push to a firewall. |
PAN-101031 | Fixed an issue where you were unable to
select existing certificates after you created an IKE gateway on
a template stack and changed Authentication to Certificate. |
PAN-101029 | Fixed an issue where routing traffic dropped
due to an increased activity in global counter (flow_fpga_rcv_egr_L3_NH_NF)
when an interface is moved from one virtual router to another. |
PAN-100962 | Fixed an issue on Panorama M-Series and
virtual appliances where the disk quota configuration exceeded a
combined total of 100 percent when a Push was performed from Panorama
due to value discrepancies between Panorama and the firewall. |
PAN-100717 | Fixed an issue where the (configd)
process depleted memory when you deleted multiple security rules
with an XML API call. |
PAN-100623 | Fixed an issue on a firewall in an HA active/passive
configuration where a higher than normal rate of HA session update
messages caused higher than normal CPU usage on both active and
passive nodes. |
PAN-100381 | Fixed an issue on a firewall in an HA configuration
where a path monitoring variable was not available for Destination
IP (DeviceHigh AvailabilityLink and Path MonitoringAdd Virtual
Router Path). |
PAN-100173 | Fixed an issue where H.323 based calls had
audio issues due to the predicted RTP session not following the
policy-based forwarding (PBF) rules that sends traffic from the
client to servers, which caused RTP traffic to be forwarded incorrectly
by route. |
PAN-99924 | Fixed an issue where the Panorama management
server web and CLI stopped responding after a partial configuration
load (PanoramaSetupOperations). |
PAN-99764 | Fixed an issue on VM-Series firewalls where
CPU calculations for additional vCPUs in the dataplane did not display
correctly. |
PAN-99742 | Fixed an issue on a PA-500 Series firewall
where SSL Forward Proxy was denied due to insufficient shared memory. |
PAN-99621 | Fixed an issue on a firewall where Captive
Portal sessions matched incorrect policies and were incorrectly
logged in the traffic log. |
PAN-99504 | Fixed an issue on a firewall where Group
Mapping (DeviceUser IdentificationGroup Mapping Settings) did
not display the list of LDAP server profile users when a Domino
server with an empty distinguished name (DN) was used. |
PAN-99079 | Fixed an issue on Panorama M-Series and
virtual appliances where Logging Service was enabled, traffic log
filters with a variable length subnet mask did not display any logs. |
PAN-99058 | Fixed an issue where threat log messages
(SCAN: UDP Port Scan) appeared when
the UDP port scan traffic rate was less than the Reconnaissance
Protection UDP port scan threshold. |
PAN-99002 | Fixed a rare issue where XML files with
random file sizes failed to upload through API calls. |
PAN-99000 | Fixed an issue where the packet capture
option did not display (MonitorTraffic) when administrators
switched context from Panorama to a managed firewall. |
PAN-98861 | Fixed an issue where shadowed rule warnings
did not display during commits. |
PAN-98811 | Fixed an issue on Panorama M-Series and
virtual appliances where Group Mapping Settings (ObjectSecurity ProfileURL FilteringUser Credential Detection)
did not display profile names. |
PAN-98786 | Fixed an issue where websites were not accessible
when you configured a decryption policy Action to No Decrypt and
enabled Block sessions with expired certificates. |
PAN-98625 | Fixed an issue where the Threat Category (MonitorThreat)
did not display as expected on Panorama M-Series and virtual appliances
when it received logs from PA-200, PA-220, PA-500, and PA-800 Series
firewalls. |
PAN-97898 | Fixed a rare issue where the traffic log
did not generate data due to a negative log counter reading. |
PAN-97743 | Fixed an issue where the firewall did not
recognize the small form-factor pluggable (SFP) port, which caused
the dataplane to restart when the path monitor process stopped responding. To ensure a successful upgrade to PAN-OS
8.1.6 for this fix, re-seat all connected SFP transceivers and then
follow the upgrade path described
in the PAN-OS 8.1 upgrade procedure (PAN-OS 8.1 New Features Guide). |
PAN-97672 | Fixed an issue where polled SNMP object
identifiers (OID) stopped responding after the firewall was restarted. |
PAN-97670 | Fixed an issue on a VM-Series firewall in
an HA active/passive configuration where after a reboot, the passive
firewall sent ARP packets during the initialization state, which
caused a traffic conflict with the active firewall. |
PAN-97496 | Fixed an issue on a firewall where the (show running resource-monitor ingress-backlogs)
CLI command displayed invalid session IDs. |
PAN-97298 | (PAN-OS 8.1.1 and later releases only)
Fixed an issue where Address Groups (ObjectsAddress Groups)
search results were cleared from the web interface when you switched
between tabs. |
PAN-97223 | Fixed an issue where an administrator with
superuser access was unable to remove a configuration lock from
a logged out administrator whose username contained a backslash
(" \ "). |
PAN-97139 | Fixed an issue where the GlobalProtect Data
File (DeviceDynamic
UpdatesGlobalProtect data File)
version did not update after a PAN-OS 8.1 upgrade. |
PAN-95975 | Fixed an issue on a firewall in an HA active/passive
configuration where the scheduled antivirus content update failed
due to a process (mgmtsrvr) failure. |
PAN-95121 | Fixed an issue where applications gets disabled
after you enabled them during the install or revert of application
and threat signatures. |
PAN-93112 | Fixed an issue on a PA-5200 Series firewall
where small form-factor pluggable (SFP) ports only linked in auto
negotiation mode. |
PAN-91059 | Fixed an issue where GTP log query filters
did not work when you filtered based on a value of unknown for
the message type or GTP interface fields (MonitorLogsGTP). |
PAN-90096 | Fixed an issue where Threat logs recorded
incorrect IMSI values for GTP packets when you enabled Packet
Capture in Vulnerability Protection profiles (ObjectsSecurity ProfilesVulnerability Protection<vulnerability_protection_profile>Rules). |
PAN-88461 | Fixed an issue on PA-3050 and PA-3060 firewalls
in an HA active/passive configuration with link state pass-through
enabled in virtual wire (vwire) where the Aggregate Ethernet (AE)
interface communication failed during an HA failover event. |
PAN-84292 | Fixed an issue on a firewall where the (show system state browser)
command window displayed live traffic values toggle between zero
and other incorrect values. |