PAN-OS 8.1.7 Addressed Issues

PAN-OS® 8.1.7 addressed issues
Issue ID
Description
WF500-4093
Fixed an issue on a WF-500 appliance cluster where a firewall failed to join the cluster with a large data set of previously processed files.
PAN-113536
Fixed an issue where the automatic refresh of external dynamic lists (EDLs) did not update the URL or Domain EDLs.
PAN-112540
Fixed an issue on a VM-Series firewall where traffic stopped processing and resumed processing only after the firewall was restarted.
PAN-112428
(Panorama™ running PAN-OS® 8.1.6 only) Fixed an intermittent issue where autocommits failed and Panorama stopped displaying device groups when managing a WildFire® appliance running PAN-OS 8.1.5 or an earlier PAN-OS 8.1 release.
PAN-112305
Fixed an issue where source URLs (ObjectsExternal Dynamic Lists<EDL-name>Create ListSource URL), which contained double escape characters caused external dynamic list entries to display incorrect values in the policies.
PAN-112098
Fixed an intermittent issue on a firewall where outbound traffic failed with an error message: (proxy decrypt failure) when configured with HTTP Header Insertion (ObjectsSecurity ProfilesURL Filtering<Filter-name>HTTP Header Insertion).
PAN-111866
Fixed an issue where the push scope selection on the Panorama web interface displayed incorrectly even though the commit scope displayed as expected. This issue occurred when one administrator made configuration changes to separate device groups or templates that affected multiple firewalls and a different administrator attempted to push those changes.
PAN-111817
Fixed an intermittent issue on Panorama M-Series and virtual appliances where elastic search queries to Cortex Data Lake did not display logs.
PAN-111638
Fixed an issue where the external dynamic list did not update after a scheduled refresh of the list.
PAN-111593
(PA-3200 Series and PA-5200 Series firewalls only) Fixed an issue where a firewall dropped generic routing encapsulation (GRE) version 1 traffic.
PAN-110526
Fixed an issue where Captive Portal authentication required two log-in attempts when the authentication sequence was configured as an authentication profile.
PAN-110341
Fixed an issue where the firewall sent RIP updates more frequently than expected.
PAN-110293
Fixed an issue where GTP-U traffic dropped due to GTP TEID not updating correctly during a GTP-C update.
PAN-110262
Fixed an issue on VM-Series firewalls Dynamic Address Groups did not display all the tags and labels for registered IPs.
PAN-109668
A security related fix was made to limit the amount of information returned from an API call error message.
PAN-109506
Fixed an issue where a process (useridd) stopped responding when the firewall received excessive Security Assertion Markup Language (SAML) requests received.
PAN-109336
(PA-500 and PA-800 Series firewalls only) Fixed an issue where commits failed after you imported a device state from Panorama the template configuration referenced Bidirectional Forwarding Detection (BFD).
PAN-109187
Fixed an issue where an administrator with a custom configuration role could not export reports.
PAN-109096
Fixed an issue where the firewall did not remove the 4-Byte AS Format number when Remove Private AS was enabled.
PAN-109003
Fixed an issue on Panorama M-Series and virtual appliances where a process (configd) stopped responding during a local commit.
PAN-108990
Fixed an intermittent issue on a firewall where configuring Force Template Values (NetworkInterfacesCommitPush to DevicesTemplates) deleted the zone assigned to an interface.
PAN-108642
Fixed an issue where P2MP OSPF static neighbor did not display in the run-time neighbor table.
PAN-108542
Fixed an issue where the DHCP client interface was configured with an incorrect subnet mask value instead of the value provided by DHCP option 1.
PAN-108374
Fixed an issue on GlobalProtect™ where you were unable to authenticate when the domain name included the ampersand ( & ) character.
PAN-108123
Fixed an issue where applications took longer than expected to load when accessed through a Clientless VPN.
PAN-107989
Fixed an issue where the Strict IP Address Check incorrectly triggered when you enabled ECMP (Network >Virtual RoutersAddRouter settingsECMP).
PAN-107922
Fixed an issue on a VM-Series firewall where packet sizes more than 1,500 bytes caused the firewall to stop transmitting and receiving packets.
PAN-107848
Fixed an issue where commits failed after a BGP aggregate route configuration modification.
PAN-107729
Fixed an issue on a VM-Series firewall where the PCI-PT interface did not receive VLAN tagged traffic after a system boot up.
PAN-107659
(PA-5000 Series firewalls only) Fixed an issue where extra byte (1 to 7) padding were appended to the initial SYN and UDP packets, which caused the server to stop responding.
PAN-107636
(Panorama M-Series and virtual appliances only) Fixed a rare issue where the web interface did not display new logs as expected because Elasticsearch (ES) stopped working when the Raid drives reached maximum capacity and the purge script to remove old ES indices failed to execute and make room for new indices. However, this issue also resulted in creation of new ES indices that were empty because the appliance could not read or write to them. With this fix, old indices are purged as expected; however, empty ES indices created before you upgraded to this release with this fix are not removed as expected (see known issue PAN-114041).
PAN-107607
Fixed an issue where the test security-policy-match XML API command returned invalid XML responses.
PAN-107240
Fixed an issue where you were unable to retrieve the external dynamic list for URLs that included the ampersand ( & ) character in the URL string.
PAN-107120
Fixed an intermittent issue on a firewall where the (all_pktproc) stopped responding and caused the dataplane to restart.
PAN-107006
Fixed an issue where you were unable to search for service objects by destination port numbers.
PAN-106963
Fixed an issue where the firewall did not display the full URL information in the URL Filtering log (MonitorURL Filtering) after a (“ ’\r’ “) return character.
PAN-106922
A security-related fix was made to address a denial of service (DoS) vulnerability in PAN-OS SNMP (CVE-2018-18065 / PAN-SA-2019-0007).
PAN-106865
Fixed an issue where DNS proxy memory leaks occurred during the FQDN refresh process.
PAN-106857
Fixed an issue where the dataplane restarted due to an internal path monitoring failure caused by large SSL decrypted file transfer sessions.
PAN-106724
Fixed an intermittent issue on a firewall where the log receiver leaked memory after 24 hours of runtime, which caused the firewall to stop responding.
PAN-106548
Fixed an issue where MIB attributes caused MIB compilation failures when using a third-party compiler.
PAN-106426
Fixed an issue where GlobalProtect did not authenticate and displayed the following error message: search failed 32.
PAN-106356
Fixed an issue where you could not log in to GlobalProtect from a mobile device when the mobile ID contained a hyphen (-) character in the mobile ID string.
PAN-106274
Fixed an issue on a firewall where a Layer 2 interface that contained a VLAN sub-interface in conjunction with policy based forwarding (PBF) caused the firewall to forward the return traffic to the incorrect web interface.
PAN-105966
A security-related fix was made to address the Linux Kernel Local Privilege Escalation vulnerability (CVE-2018-14634 / PAN-SA-2019-0006).
PAN-105792
Fixed an issue where NetFlow server profile traffic did not route over IPSec tunnels when the service route was configured to use the dataplane interface.
PAN-105747
Fixed an issue where correlated events forwarded as email alerts displayed the incorrect date and time.
PAN-105684
Fixed an issue on a firewall in a high availability (HA) active/passive configuration where OSPF and BGP running on an Aggregate Ethernet (AE) interface with LACP enabled took longer than expected to restart after a failover.
PAN-104866
Fixed an issue on a VM-Series firewall where the dataplane interface continuously flapped when PCI passthrough was enabled with DPDK.
PAN-104738
Fixed an intermittent issue where octet values were incorrect for random flows in the NetFlow traffic.
PAN-104466
Fixed an issue on a VM-50 firewall where an out-of-memory event caused the firewall to restart.
PAN-104354
Fixed an issue in an HA active/passive configuration where the passive firewall ran a configuration out-of-sync after a restart.
PAN-104263
Fixed an issue where the real-time clock (RTC) battery voltage exceeded the maximum threshold value.
PAN-104078
Fixed an issue where BGP conditional advertisements did not respond, the BGP conditional advertisements did not match the suppress condition policy even when the prefix in the non-exist filter condition matched.
PAN-103857
Fixed an issue in an HA active/passive configuration where a suspended firewall processed traffic.
PAN-103497
Fixed an issue on PA-3200 Series firewalls where an SNMP OID (sysObjectID) reported the incorrect model (for example, PA-2020 instead of PA-3260).
PAN-103285
Fixed an issue where an API call (show system disk details), responded with the following error message: An error occurred. See dagger.log for information.
PAN-103225
Fixed an issue on Panorama M-Series and virtual appliances where the Task Manager did not display progress after you pushed a configuration to a firewall.
PAN-103140
Fixed an issue where a newly deployed VM-Series firewall in the VMware NSX environment did not display on the summary web interface (PanoramaSummary) after a partial commit.
PAN-103023
Fixed an intermittent issue where a job type (content) caused a firewall configuration failure and the firewall to stop responding.
PAN-102745
Fixed an intermittent issue on a firewall where a commit and FQDN refresh took longer than expected.
PAN-102526
Fixed an issue on Panorama M-Series and virtual appliances where disk quota edits failed and resulted in the following error message: quota-settings -> disk-quota is invalid.
PAN-101527
Fixed an issue on a PA-5200 Series firewall where enhanced small form-factor pluggable (SFP+) ports were unable to detect link-fault events on the transmission side.
PAN-101451
Fixed an issue where SNMP queries displayed incorrect values.
PAN-101365
Fixed an intermittent issue where the session ID did not clear when the session ID was set to 0.
PAN-101341
Fixed an issue where administrators configured with Device Group and Template Admin type were unable to perform a global search and returned the following message: Unauthorized request.
PAN-101224
Fixed an intermittent issue on VM-Series firewalls in an AWS environment where packets were dropped due to a longer than expected delay in transmission.
PAN-101068
Fixed an issue where the object identifier (OID) ifAdminStatus incorrectly displayed "up" when it was configured to be configured "down."
PAN-100761
A security-related fix was made to address a development configuration file issue.
PAN-100408
Fixed an issue where the IPv6 flow label was set to 0 when decryption was configured, which caused the firewall to drop IPv6 traffic during the SSL handshake.
PAN-98420
Fixed an issue on Panorama M-Series and virtual appliances where TCP port 28 was accessible on management plane.
PAN-98128
Fixed an issue where SYN-ACK packets with low time-to-live (TTL) values were sent, which caused a connection failure.
PAN-97385
An enhancement was made to enable you to monitor connections between a firewall and Cortex Data Lake on the web interface.
PAN-96344
Fixed an issue on a firewall where TCP reset packets were sent even after you set the vulnerability profile action to drop the packets.
PAN-96038
(PA-200 <N/A in 9.0>, PA-220, and PA-220R firewalls only) Fixed an issue with the Ethernet driver that caused the firewall to reboot when experiencing heavy broadcast traffic on the management interface.
PAN-95034
Fixed an issue where a firewall stopped responding when a NAT Dynamic IP and Port (DIPP) was configured as a NAT dynamic IP fallback.
PAN-94342
Fixed an issue where the GlobalProtect Gateway host information profile (HIP) notification operation failed to execute and returned the following message: GP-EX-GW-21 -> hip-notification - > win-fw-is-not-enable -> not-match-message -> message is invalid.
PAN-84670
Fixed an issue where firewalls that were not configured to decrypt HTTPS services and applications traffic allowed users without valid authentication timestamps to access those resources regardless of Authentication Policy settings. To prevent such access, either configure the firewall to decrypt traffic or run the debug device-server cp-deny-encrypted on command and perform a force commit (this command will persist across reboots).
PAN-82421
Fixed an issue where the new connection did not get established after you changed the IP address of a log collector.

Related Documentation