PAN-OS 8.1.6 Addressed Issues

PAN-OS® 8.1.6 addressed issues
Issue ID
Description
WF500-4901
Fixed an issue where files sent by Traps™ to WildFire® were referenced for trusted signers in the incorrect database, which resulted in a malicious file verdict and caused conflicting post detection events.
WF500-4893
(
RADIUS server profile configurations only
) Fixed an issue where the RADIUS authentication protocol was incorrectly changed to CHAP authentication when you pushed a commit from a Panorama™ appliance running a PAN-OS® 8.1 release to a WF-500 appliance running a PAN-OS 8.0 release.
WF500-4869
Fixed an issue on a WF-500 appliance where the sample analysis failed when using FIPS-CC mode.
WF500-4815
Fixed an intermittent issue on WF-500 appliances where the Redis command line interface (CLI) failed to execute during master node re-balancing.
WF500-4747
Fixed an issue on a WF-500 appliance where the Panorama™ management server ran unrelated Logging Service threads.
WF500-4636
(
WF-500 Appliances only
) Fixed a rare issue that occurred after upgrading from a PAN-OS 8.0 release to a PAN-OS 8.1 release where the disk partition became full due to the amount of data on the drive and, when you tried to delete the backup database to free up space, the
debug wildfire reset backup-database-for-old-samples
CLI command failed and resulted in the following error:
Server error : Client wf_devsrvr not ready.
PAN-111305
Fixed an issue where you were unable to reference certificate profiles from the External Dynamic Lists (
Objects
External Dynamic Lists
Add
Create List
) but instead, you had to type in the certificate profile.
PAN-110448
Fixed an issue on PA-3200 Series firewalls where the dataplane took longer than expected to respond or intermittently stopped responding after a firewall reboot.
PAN-109594
Fixed an issue where the dataplane restarted when an IPsec rekey event occurred and caused a tunnel process (
tund
) failure when one--but not both--HA peer is running PAN-OS 8.0.14 or PAN-OS 8.1.5.
PAN-109124
A security-related fix was made to address an issue where you were unable to retrieve GlobalProtect™ cloud service threat packet captures from the Logging Service on Panorama M-Series and virtual appliances.
PAN-108785
Fixed an intermittent issue on a firewall in an HA active/passive configuration where a ping test stopped responding on Ethernet 1/1, 1/2, and 1/4 due to input errors on the corresponding switch port after an HA failover.
PAN-108241
Fixed an issue on a PA-3200 Series firewall where multiple dataplane processes (
all_pktproc, flow_mgmt, flow_ctrl, and pktlog_forwarding
) stopped responding when overloaded with traffic.
PAN-108165
Fixed memory issues on Palo Alto Networks hardware and virtual appliances that caused intermittent management plane instability.
PAN-108161
Fixed an issue on an HA active/passive configuration where GTP sessions did not properly sync to the passive firewall, which caused a failure on the passive firewall during a failover.
PAN-107895
Fixed an issue where PDP Delete Response packet did not match the GTPv1-C tunnel session, which caused the generated GTP log to display incorrect session data.
PAN-107893
Fixed an issue where a
Delete PDP Context Response
(
Monitor
Logs
GTP
) did not correlate with a
Delete PDP Context Request
and appeared as a new session.
PAN-107790
Fixed an issue where Application incorrectly displayed as
unknown-udp
instead of
gtp-c
for the
GTPv1-C tunnel management message
GTP Event Type.
PAN-107734
Fixed an intermittent issue where IPSec Tunnels failed due to a race condition between the (
pan_task
) process and (
tund
) process.
PAN-107694
Fixed an issue on Panorama M-Series and virtual appliances where after you selected
Allow with Ticket
(
Networks
GlobalProtect
Portals
<Portal-Name>
App
) the web interface
Generate Ticket
did not display.
PAN-107290
Fixed an issue where a single API call failed to locate a Device Group node and create a device node for the Device Group when necessary.
PAN-107262
A security-related fix was made to prevent cross-site scripting (XSS) attacks through the PAN-OS Management Web Interface (CVE-2019-1566).
PAN-106947
Fixed an intermittent issue where a large number of out-of-order TCP packets caused packet buffer depletion.
PAN-106776
A security-related fix was made to prevent a cross-site scripting (XSS) vulnerability in PAN-OS External Dynamic Lists (CVE-2019-1565).
PAN-106759
Fixed an issue in an HA active/passive configuration where a process (
configd
) restarted due to a memory error.
PAN-106253
Fixed an issue where the GTP Message Type
Modify Bearer Response
and GTP Event Code
124223
were denied due to failed stateful inspections.
PAN-106251
Fixed an issue where the list of Panorama Managed Devices did not display (
Panorama
Device
Deployment
Licenses
).
PAN-105928
Fixed an issue on a firewall where server side data packets dropped after a terminated challenge ACK session was reused.
PAN-105759
Fixed an issue on PA-3200 Series and PA-5200 Series firewalls in an HA active/active configuration where the SNMP notification did not report the HA interfaces.
PAN-105570
(
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only
) Fixed an issue where the QoS profile rule did not match non-offloaded traffic as expected.
PAN-105567
Fixed an intermittent issue on Panorama M-Series and virtual appliances where a cloned security or NAT policy used the incorrect
Rule order
.
PAN-105348
Fixed an issue on Panorama M-Series and virtual appliances where Dynamic Updates (
Device
Dynamic Updates
) did not allow local overrides on an existing template.
PAN-105281
(
PAN-OS 8.1.6 and later
) Fixed an issue where a SAML based GlobalProtect re-authentication portal displayed an authentication error after you have previously logged in.
PAN-105157
Fixed an intermittent issue on Panaoram M-Series and virtual appliances where logs did not display due to a file descriptor limit by the process (
Elasticsearch
).
PAN-105103
Fixed an intermittent issue where GTP logs did not display due to GTP packets with an APN > 14 bytes caused the traffic log to reach the limit and stopped generating logs.
PAN-105012
Fixed an issue on Panorama M-Series and virtual appliances where a log migration from an old-disk pair to a new-disk pair failed with the following error message:
Error restoring disks from RMAed device
, which caused the (
configd
) process to fail.
PAN-104463
Fixed an intermittent issue where the DNS resolution stopped responding when the firewall acted as a DNS proxy and the DNS request volume was higher than expected.
PAN-104361
Fixed an issue on a firewall in an HA active/passive configuration where a process (
all_task
) failed due to a (
bad_gtp_header
) code on the passive firewall after upgrading from PAN-OS 8.0.12.
PAN-104300
Fixed an issue on a firewall where a process (
mprelay
) stopped responding while the (
> debug dataplane internal pdt
) command was processed.
PAN-104165
Fixed an issue on a VM-Series firewall configured to use the i40e single-root input/output virtualization (SR-IOV) virtual function (VF) with VLAN tagging dropped Ethernet frames exceeding 1496 bytes.
PAN-104077
Fixed an intermittent issue where User-ID™ stopped responding, which caused the user IP mapping to not display.
PAN-104042
Fixed an issue where directly connected IPv4 routes do not display in the routing table after the firewall was restarted.
PAN-104041
Fixed an issue where the web interface management session failed to time out as expected when you set the
Idle Timeout
(
Device
Setup
Management
Authentication Settings
Edit
) to more than five minutes.
PAN-103665
Fixed an issue on an HA active/active configuration where the active primary LLDP profile could not be copied to the active secondary firewall.
PAN-103224
Fixed an issue on a VM-Series firewall where the initialization buffer caused the firewall to stop responding when five or more interfaces were active.
PAN-102954
A security-related fix was made to address a code parameter in the clientless VPN portal.
PAN-102625
Fixed an issue on a firewall where traffic stopped passing due to higher than normal duplicate TCP ACK packets sent from the client side, which caused a spike in packet buffers and packet descriptor usage.
PAN-102338
Fixed an issue where you were unable to configure
Maximum Egress
(
Network
QoS
) to 10000 Mbps on a 10000 Mbps port.
PAN-101990
Fixed an issue on Panorama M-Series and virtual appliances in an HA active/passive configuration where you were unable to edit the template variables (
Panorama
Summary
).
PAN-101973
Fixed an issue where you were unable to configure IPv6 variables (
Network
Virtual Routers
Add
Static
Routes
IPv6
).
PAN-101882
Fixed an issue on Panorama M-Series and virtual appliances where a partial Commit and Push for one or more administrators incorrectly sets the Push scope to all relevant firewalls as if a full Commit and Push was performed.
PAN-101851
Fixed an intermittent issue on PAN-OS 8.1.3 and later releases, where downloading files from email services were allowed when the file blocking profile was configured to block email service file downloads.
PAN-101800
Fixed an issue where the parent session stopped responding during a file transfer using a decryption enabled FTP server with the following error message:
Lost connection
.
PAN-101692
Fixed an issue where the (
show session all filter nat-rule
) command did not respond with destination NAT rules.
PAN-101684
Fixed an issue on Panorama M-Series and virtual appliances where adding a threat exception for a child Device Group caused existing rules to be removed from the Global Device Group.
PAN-101614
Fixed an issue on a firewall where SSL/TLS Service Profile (
Device
SSL/TLS Service Profile
) values failed to change after an override.
PAN-101607
Fixed an issue where template administrators with the required permission made configuration changes on shared objects and the Commit failed with the following error message:
No pending change to commit
.
PAN-101401
Fixed an issue where a DNS App-ID™ security policy allowed non-DNS traffic to flow through.
PAN-101202
Fixed an issue on a firewall where the TFC padding parameter was set to
null
when negotiating with a peer device capable of TFC padding during IKEv2 negotiations.
PAN-101185
Fixed an issue on Panorama M-Series and virtual appliances where the Decrypt Mirror (
Network
Interfaces
Ethernet
Interface Type
) template setting did not Push to a firewall.
PAN-101031
Fixed an issue where you were unable to select existing certificates after you created an IKE gateway on a template stack and changed Authentication to Certificate.
PAN-101029
Fixed an issue where routing traffic dropped due to an increased activity in global counter (
flow_fpga_rcv_egr_L3_NH_NF
) when an interface is moved from one virtual router to another.
PAN-100962
Fixed an issue on Panorama M-Series and virtual appliances where the disk quota configuration exceeded a combined total of 100 percent when a Push was performed from Panorama due to value discrepancies between Panorama and the firewall.
PAN-100717
Fixed an issue where the (
configd
) process depleted memory when you deleted multiple security rules with an XML API call.
PAN-100623
Fixed an issue on a firewall in an HA active/passive configuration where a higher than normal rate of HA session update messages caused higher than normal CPU usage on both active and passive nodes.
PAN-100381
Fixed an issue on a firewall in an HA configuration where a path monitoring variable was not available for Destination IP (
Device
High Availability
Link and Path Monitoring
Add Virtual Router Path
).
PAN-100173
Fixed an issue where H.323 based calls had audio issues due to the predicted RTP session not following the policy-based forwarding (PBF) rules that sends traffic from the client to servers, which caused RTP traffic to be forwarded incorrectly by route.
PAN-99924
Fixed an issue where the Panorama management server web and CLI stopped responding after a partial configuration load (
Panorama
Setup
Operations
).
PAN-99764
Fixed an issue on VM-Series firewalls where CPU calculations for additional vCPUs in the dataplane did not display correctly.
PAN-99742
Fixed an issue on a PA-500 Series firewall where SSL Forward Proxy was denied due to insufficient shared memory.
PAN-99621
Fixed an issue on a firewall where Captive Portal sessions matched incorrect policies and were incorrectly logged in the traffic log.
PAN-99504
Fixed an issue on a firewall where Group Mapping (
Device
User Identification
Group Mapping Settings
) did not display the list of LDAP server profile users when a Domino server with an empty distinguished name (DN) was used.
PAN-99079
Fixed an issue on Panorama M-Series and virtual appliances where Logging Service was enabled, traffic log filters with a variable length subnet mask did not display any logs.
PAN-99058
Fixed an issue where threat log messages (
SCAN: UDP Port Scan
) appeared when the UDP port scan traffic rate was less than the Reconnaissance Protection UDP port scan threshold.
PAN-99002
Fixed a rare issue where XML files with random file sizes failed to upload through API calls.
PAN-99000
Fixed an issue where the packet capture option did not display (
Monitor
Traffic
) when administrators switched context from Panorama to a managed firewall.
PAN-98861
Fixed an issue where shadowed rule warnings did not display during commits.
PAN-98811
Fixed an issue on Panorama M-Series and virtual appliances where Group Mapping Settings (
Object
Security Profile
URL Filtering
User Credential Detection
) did not display profile names.
PAN-98786
Fixed an issue where websites were not accessible when you configured a decryption policy Action to
No Decrypt
and enabled
Block sessions with expired certificates
.
PAN-98625
Fixed an issue where the Threat Category (
Monitor
Threat
) did not display as expected on Panorama M-Series and virtual appliances when it received logs from PA-200, PA-220, PA-500, and PA-800 Series firewalls.
PAN-97898
Fixed a rare issue where the traffic log did not generate data due to a negative log counter reading.
PAN-97743
Fixed an issue where the firewall did not recognize the small form-factor pluggable (SFP) port, which caused the dataplane to restart when the path monitor process stopped responding.
To ensure a successful upgrade to PAN-OS 8.1.6 for this fix, re-seat all connected SFP transceivers and then follow the upgrade path described in the PAN-OS 8.1 upgrade procedure (PAN-OS 8.1 New Features Guide).
PAN-97672
Fixed an issue where polled SNMP object identifiers (OID) stopped responding after the firewall was restarted.
PAN-97670
Fixed an issue on a VM-Series firewall in an HA active/passive configuration where after a reboot, the passive firewall sent ARP packets during the initialization state, which caused a traffic conflict with the active firewall.
PAN-97496
Fixed an issue on a firewall where the (
show running resource-monitor ingress-backlogs
) CLI command displayed invalid session IDs.
PAN-97298
(
PAN-OS 8.1.1 and later releases only
) Fixed an issue where
Address Groups
(
Objects
Address Groups
) search results were cleared from the web interface when you switched between tabs.
PAN-97223
Fixed an issue where an administrator with superuser access was unable to remove a configuration lock from a logged out administrator whose username contained a backslash (" \ ").
PAN-97139
Fixed an issue where the GlobalProtect Data File (
Device
Dynamic Updates
GlobalProtect data File
) version did not update after a PAN-OS 8.1 upgrade.
PAN-95975
Fixed an issue on a firewall in an HA active/passive configuration where the scheduled antivirus content update failed due to a process (
mgmtsrvr
) failure.
PAN-95121
Fixed an issue where applications gets disabled after you enabled them during the install or revert of application and threat signatures.
PAN-93112
Fixed an issue on a PA-5200 Series firewall where small form-factor pluggable (SFP) ports only linked in auto negotiation mode.
PAN-91059
Fixed an issue where GTP log query filters did not work when you filtered based on a value of
unknown
for the message type or GTP interface fields (
Monitor
Logs
GTP
).
PAN-90096
Fixed an issue where Threat logs recorded incorrect IMSI values for GTP packets when you enabled
Packet Capture
in Vulnerability Protection profiles (
Objects
Security Profiles
Vulnerability Protection
<vulnerability_protection_profile>
Rules
).
PAN-88461
Fixed an issue on PA-3050 and PA-3060 firewalls in an HA active/passive configuration with link state pass-through enabled in virtual wire (vwire) where the Aggregate Ethernet (AE) interface communication failed during an HA failover event.
PAN-84292
Fixed an issue on a firewall where the (
show system state browser
) command window displayed live traffic values toggle between zero and other incorrect values.

Recommended For You