PAN-OS 8.1.6 Addressed Issues
PAN-OS® 8.1.6 addressed issues
Fixed an issue where files sent by Traps™ to WildFire® were referenced for trusted signers in the incorrect database, which resulted in a malicious file verdict and caused conflicting post detection events.
RADIUS server profile configurations only) Fixed an issue where the RADIUS authentication protocol was incorrectly changed to CHAP authentication when you pushed a commit from a Panorama™ appliance running a PAN-OS® 8.1 release to a WF-500 appliance running a PAN-OS 8.0 release.
Fixed an issue on a WF-500 appliance where the sample analysis failed when using FIPS-CC mode.
Fixed an intermittent issue on WF-500 appliances where the Redis command line interface (CLI) failed to execute during master node re-balancing.
Fixed an issue on a WF-500 appliance where the Panorama™ management server ran unrelated Logging Service threads.
WF-500 Appliances only) Fixed a rare issue that occurred after upgrading from a PAN-OS 8.0 release to a PAN-OS 8.1 release where the disk partition became full due to the amount of data on the drive and, when you tried to delete the backup database to free up space, the
debug wildfire reset backup-database-for-old-samplesCLI command failed and resulted in the following error:
Server error : Client wf_devsrvr not ready.
Fixed an issue where you were unable to reference certificate profiles from the External Dynamic Lists (
) but instead, you had to type in the certificate profile.
External Dynamic Lists
Fixed an issue on PA-3200 Series firewalls where the dataplane took longer than expected to respond or intermittently stopped responding after a firewall reboot.
A security-related fix was made to address an issue where you were unable to retrieve GlobalProtect™ cloud service threat packet captures from the Logging Service on Panorama M-Series and virtual appliances.
Fixed an intermittent issue on a firewall in an HA active/passive configuration where a ping test stopped responding on Ethernet 1/1, 1/2, and 1/4 due to input errors on the corresponding switch port after an HA failover.
Fixed memory issues on Palo Alto Networks hardware and virtual appliances that caused intermittent management plane instability.
Fixed an issue on an HA active/passive configuration where GTP sessions did not properly sync to the passive firewall, which caused a failure on the passive firewall during a failover.
Fixed an issue where PDP Delete Response packet did not match the GTPv1-C tunnel session, which caused the generated GTP log to display incorrect session data.
Fixed an issue where a
Delete PDP Context Response(
) did not correlate with a
Delete PDP Context Requestand appeared as a new session.
Fixed an issue where Application incorrectly displayed as
GTPv1-C tunnel management messageGTP Event Type.
Fixed an issue on Panorama M-Series and virtual appliances where after you selected
Allow with Ticket(
) the web interface
Generate Ticketdid not display.
Fixed an issue where a single API call failed to locate a Device Group node and create a device node for the Device Group when necessary.
A security-related fix was made to prevent cross-site scripting (XSS) attacks through the PAN-OS Management Web Interface (CVE-2019-1566).
Fixed an intermittent issue where a large number of out-of-order TCP packets caused packet buffer depletion.
A security-related fix was made to prevent a cross-site scripting (XSS) vulnerability in PAN-OS External Dynamic Lists (CVE-2019-1565).
Fixed an issue where the GTP Message Type
Modify Bearer Responseand GTP Event Code
124223were denied due to failed stateful inspections.
Fixed an issue where the list of Panorama Managed Devices did not display (
Fixed an issue on a firewall where server side data packets dropped after a terminated challenge ACK session was reused.
Fixed an issue on PA-3200 Series and PA-5200 Series firewalls in an HA active/active configuration where the SNMP notification did not report the HA interfaces.
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only) Fixed an issue where the QoS profile rule did not match non-offloaded traffic as expected.
Fixed an intermittent issue on Panorama M-Series and virtual appliances where a cloned security or NAT policy used the incorrect
Fixed an issue on Panorama M-Series and virtual appliances where Dynamic Updates (
) did not allow local overrides on an existing template.
PAN-OS 8.1.6 and later) Fixed an issue where a SAML based GlobalProtect re-authentication portal displayed an authentication error after you have previously logged in.
Fixed an intermittent issue where GTP logs did not display due to GTP packets with an APN > 14 bytes caused the traffic log to reach the limit and stopped generating logs.
Fixed an issue on Panorama M-Series and virtual appliances where a log migration from an old-disk pair to a new-disk pair failed with the following error message:
Error restoring disks from RMAed device, which caused the (configd) process to fail.
Fixed an intermittent issue where the DNS resolution stopped responding when the firewall acted as a DNS proxy and the DNS request volume was higher than expected.
Fixed an issue on a VM-Series firewall configured to use the i40e single-root input/output virtualization (SR-IOV) virtual function (VF) with VLAN tagging dropped Ethernet frames exceeding 1496 bytes.
Fixed an intermittent issue where User-ID™ stopped responding, which caused the user IP mapping to not display.
Fixed an issue where directly connected IPv4 routes do not display in the routing table after the firewall was restarted.
Fixed an issue where the web interface management session failed to time out as expected when you set the
) to more than five minutes.
Fixed an issue on an HA active/active configuration where the active primary LLDP profile could not be copied to the active secondary firewall.
Fixed an issue on a VM-Series firewall where the initialization buffer caused the firewall to stop responding when five or more interfaces were active.
A security-related fix was made to address a code parameter in the clientless VPN portal.
Fixed an issue on a firewall where traffic stopped passing due to higher than normal duplicate TCP ACK packets sent from the client side, which caused a spike in packet buffers and packet descriptor usage.
Fixed an issue where you were unable to configure
) to 10000 Mbps on a 10000 Mbps port.
Fixed an issue on Panorama M-Series and virtual appliances in an HA active/passive configuration where you were unable to edit the template variables (
Fixed an issue where you were unable to configure IPv6 variables (
Fixed an issue on Panorama M-Series and virtual appliances where a partial Commit and Push for one or more administrators incorrectly sets the Push scope to all relevant firewalls as if a full Commit and Push was performed.
Fixed an intermittent issue on PAN-OS 8.1.3 and later releases, where downloading files from email services were allowed when the file blocking profile was configured to block email service file downloads.
Fixed an issue where the parent session stopped responding during a file transfer using a decryption enabled FTP server with the following error message:
Fixed an issue where the (
show session all filter nat-rule) command did not respond with destination NAT rules.
Fixed an issue on Panorama M-Series and virtual appliances where adding a threat exception for a child Device Group caused existing rules to be removed from the Global Device Group.
Fixed an issue on a firewall where SSL/TLS Service Profile (
) values failed to change after an override.
SSL/TLS Service Profile
Fixed an issue where template administrators with the required permission made configuration changes on shared objects and the Commit failed with the following error message:
No pending change to commit.
Fixed an issue where a DNS App-ID™ security policy allowed non-DNS traffic to flow through.
Fixed an issue on a firewall where the TFC padding parameter was set to
nullwhen negotiating with a peer device capable of TFC padding during IKEv2 negotiations.
Fixed an issue on Panorama M-Series and virtual appliances where the Decrypt Mirror (
) template setting did not Push to a firewall.
Fixed an issue where you were unable to select existing certificates after you created an IKE gateway on a template stack and changed Authentication to Certificate.
Fixed an issue where routing traffic dropped due to an increased activity in global counter (
flow_fpga_rcv_egr_L3_NH_NF) when an interface is moved from one virtual router to another.
Fixed an issue on Panorama M-Series and virtual appliances where the disk quota configuration exceeded a combined total of 100 percent when a Push was performed from Panorama due to value discrepancies between Panorama and the firewall.
Fixed an issue on a firewall in an HA active/passive configuration where a higher than normal rate of HA session update messages caused higher than normal CPU usage on both active and passive nodes.
Fixed an issue on a firewall in an HA configuration where a path monitoring variable was not available for Destination IP (
Link and Path Monitoring
Add Virtual Router Path
Fixed an issue where H.323 based calls had audio issues due to the predicted RTP session not following the policy-based forwarding (PBF) rules that sends traffic from the client to servers, which caused RTP traffic to be forwarded incorrectly by route.
Fixed an issue where the Panorama management server web and CLI stopped responding after a partial configuration load (
Fixed an issue on VM-Series firewalls where CPU calculations for additional vCPUs in the dataplane did not display correctly.
Fixed an issue on a PA-500 Series firewall where SSL Forward Proxy was denied due to insufficient shared memory.
Fixed an issue on a firewall where Captive Portal sessions matched incorrect policies and were incorrectly logged in the traffic log.
Fixed an issue on a firewall where Group Mapping (
) did not display the list of LDAP server profile users when a Domino server with an empty distinguished name (DN) was used.
Group Mapping Settings
Fixed an issue on Panorama M-Series and virtual appliances where Logging Service was enabled, traffic log filters with a variable length subnet mask did not display any logs.
Fixed an issue where threat log messages (
SCAN: UDP Port Scan) appeared when the UDP port scan traffic rate was less than the Reconnaissance Protection UDP port scan threshold.
Fixed a rare issue where XML files with random file sizes failed to upload through API calls.
Fixed an issue where the packet capture option did not display (
) when administrators switched context from Panorama to a managed firewall.
Fixed an issue where shadowed rule warnings did not display during commits.
Fixed an issue on Panorama M-Series and virtual appliances where Group Mapping Settings (
) did not display profile names.
User Credential Detection
Fixed an issue where websites were not accessible when you configured a decryption policy Action to
No Decryptand enabled
Block sessions with expired certificates.
Fixed an issue where the Threat Category (
) did not display as expected on Panorama M-Series and virtual appliances when it received logs from PA-200, PA-220, PA-500, and PA-800 Series firewalls.
Fixed a rare issue where the traffic log did not generate data due to a negative log counter reading.
Fixed an issue where the firewall did not recognize the small form-factor pluggable (SFP) port, which caused the dataplane to restart when the path monitor process stopped responding.
Fixed an issue where polled SNMP object identifiers (OID) stopped responding after the firewall was restarted.
Fixed an issue on a VM-Series firewall in an HA active/passive configuration where after a reboot, the passive firewall sent ARP packets during the initialization state, which caused a traffic conflict with the active firewall.
Fixed an issue on a firewall where the (
show running resource-monitor ingress-backlogs) CLI command displayed invalid session IDs.
PAN-OS 8.1.1 and later releases only) Fixed an issue where
) search results were cleared from the web interface when you switched between tabs.
Fixed an issue where an administrator with superuser access was unable to remove a configuration lock from a logged out administrator whose username contained a backslash (" \ ").
Fixed an issue where the GlobalProtect Data File (
) version did not update after a PAN-OS 8.1 upgrade.
GlobalProtect data File
Fixed an issue where applications gets disabled after you enabled them during the install or revert of application and threat signatures.
Fixed an issue on a PA-5200 Series firewall where small form-factor pluggable (SFP) ports only linked in auto negotiation mode.
Fixed an issue where GTP log query filters did not work when you filtered based on a value of
unknownfor the message type or GTP interface fields (
Fixed an issue where Threat logs recorded incorrect IMSI values for GTP packets when you enabled
Packet Capturein Vulnerability Protection profiles (
Fixed an issue on PA-3050 and PA-3060 firewalls in an HA active/passive configuration with link state pass-through enabled in virtual wire (vwire) where the Aggregate Ethernet (AE) interface communication failed during an HA failover event.
Fixed an issue on a firewall where the (
show system state browser) command window displayed live traffic values toggle between zero and other incorrect values.
Recommended For You
Recommended videos not found.