PAN-OS 8.1.8 Addressed Issues
PAN-OS® 8.1.8 addressed issues
Fixed an issue on WF-500 appliances where the cluster service took longer than expected to start due to a large number of queued sample data.
Fixed an issue on WF-500 appliances where the static analysis results displayed in the PDF report but did not display in the WildFire® analysis summary of the web interface.
Fixed an issue on WildFire appliance clusters where the passive-controller responded with the incorrect Common Name (CN) in the certificate, which caused the registration to fail.
Fixed an intermittent issue on a WF-500 appliance where WildFire reports took longer than expected to generate, which caused the task to automatically timeout.
Fixed a rare issue on WF-500 appliances where the firewall did not respond after you upgraded the appliance from a PAN-OS® 8.0.1 release to a PAN-OS 8.0.10 or later release. With this fix, you can run the new
debug software raid fixup autoCLI command to recover the RAID controller.
Fixed an issue on a WF-500 appliance where during a reboot, the following error message displayed:
FATAL: module nbd not found.
Fixed an intermittent issue on a WF-500 appliance where the CLI command
debug wildfire reset global-database fixstopped responding.
Fixed an issue where RTP and RTCP predict sessions failed, which caused RTSP based video streaming to stop processing.
Fixed a file descriptor issue that caused an interface on a VM-Series firewall on Azure to stop receiving traffic.
Fixed an issue on Panorama™ M-Series and virtual appliances where serial numbers for deployed firewalls did not display in the web interface with the exception of GlobalProtect™ cloud service firewalls.
Fixed an issue where the firewall incorrectly triggered Reverse Path Forwarding (RPF), which caused packet leaks.
Fixed an intermittent issue on a firewall in a high availability (HA) active/passive configuration where five minutes after a failover test IP routes disappeared, which caused traffic interruptions.
Fixed an issue where the firewall unintentionally generated the following system log:
Installed content package WildFire is newer than available package, skipping,when you checked for WildFire updates.
Fixed an issue on a firewall in an HA active/passive configuration where a process (useridd) did not respond to the alternate user attribute (
) on the passive firewall during a restart.
Group Mapping Settings
User and Group Attributes
Fixed an issue where H.323-based calls lost audio because the predicted H.245 session was not converted to Active status, which caused the firewall to drop the H.245 traffic.
Fixed an issue on Panorama M-Series and virtual appliances where Decrypted Sessions Info (
) did not display as expected for VM-Series firewalls.
Fixed an issue on a firewall in an HA active/passive configuration where a race condition caused the firewall to stop responding after an HA1 link flap.
Fixed an issue where packet buffers did not release GlobalProtect clientless VPN packets, which caused the firewall to stop responding.
Fixed an issue where the tags were not set on OSPFv3 routes redistributed to BGP-3.
VM-50 and VM-50 Lite firewalls only) Fixed a rare out-of-memory (OOM) condition.
PA-3200, PA-5200, and PA-7000 Series firewalls only) Fixed an intermittent issue on a firewall configured with policy-based forwarding (PBF) and symmetric return, where traffic dropped because the ARP table did not get updated.
Fixed an issue where URL filtering profiles were being incorrectly applied to security policies during a commit.
Fixed an issue on PA-7000 Series firewalls where an internal packet buffer leak caused heartbeat failures.
Fixed an issue where a firewall silently dropped TCP packets when you enabled the Antivirus profile while the software deterministic finite automation (DFA) option is disabled (DFA is disabled by default).
Fixed an issue where the
show object dynamic address groupXML API command returned an invalid error message:
You must specify a valid Device Group.
Fixed an issue where the dataplane stopped responding due to an incorrectly calculated offset when you configured
Exclude video traffic from the tunnel(
Fixed an issue where member interfaces of the aggregate interface did not display on web interface (
Fixed an issue on PA-3200 and PA-5200 Series firewalls where an erroneous dataplane error (
power status is bad, shutting system down) caused the firewall to shutdown.
Fixed an issue on Panorama M-Series and virtual appliances where you were unable to configure the firewall to disable the portal log-in page.
Fixed an issue where user groups were deleted from the Group Include List (
) if you changed the LDAP server profile account password.
Group Mapping Settings
Group Include List
PA-5200 Series firewall only) Fixed an intermittent issue where the internal path monitoring failed, which caused the firewall to unexpectedly restart.
Fixed an issue on PA-7000 Series firewalls where invalid filters caused the device management server to stop responding when you generated a database (DB) report from a remote firewall.
Fixed an issue where you were unable to establish OSPF neighborship when an OSPF routing protocol was configured with MD5 authentication and one of the firewalls was restarted.
Fixed an issue where the content update threshold downloaded and installed an older content version after you manually installed a newer content version.
Fixed an issue where a commit failed with an error message:
cluster is missing 'encryption'when HA Traffic Encryption (
) was not configured and after upgrading from PAN-OS 8.0.12 to PAN-OS 8.1.4.
Managed WildFire Clusters
Fixed an issue where a race condition occurred when a configuration push and Netflow update occurred simultaneously, which caused the dataplane to restart.
Fixed an issue where credential phishing prevention did not detect user or password phishing when passwords, which contained two discontiguous character spaces were used.
Fixed an issue where the firewall did not generate a notification for the GlobalProtect client when the firewall denied unencrypted TLS sessions due to an authentication policy match.
Fixed an issue on Panorama M-Series and virtual appliances where the management server stopped responding when the log collector disconnected and reconnected to Panorama.
Fixed an issue where you were unable to disable the Graceful Restart (
Fixed an issue where a physical or Aggregate Ethernet (AE) Layer 3 configuration edit (
) removed the DHCP Client setting when it was configured in the subinterface.
Fixed an issue where you were unable to configure more than one device certificate (
Trusted Root CA.
Fixed an issue where service objects did not import into Panorama when you configured them identically but with different names.
Fixed an issue where you were unable to override IKE Gateway configurations (
) in the template stack. However, with this fix, you still cannot override template stacks when you configure any value with "none." Additionally, to override the Local Identification, select
Authenticationin the pop-up dialogue.
Fixed an issue where host traffic ICMP packets larger than 9,180 bytes dropped when you configured a jumbo frame with a maximum MTU value of 9,216 bytes and with the DF option enabled.
Fixed an issue where a higher than expected rate of tunnel resolution packets occurred due to an internal loop, which caused a spike in dataplane CPU usage for firewalls that support distributed tunnel ownership.
Fixed an issue where the firewall did not update the dataplane DNS cache after the management plane (MP) DNS entries expired, which caused evasion signatures to erroneously trigger a
Suspicious TLS/HTTP Evasion Foundevent.
Fixed an issue where Traps ESM (
) logs were sent to the Log Collector but did not display in the web interface.
Fixed an issue where Network Activity (
) incorrectly displayed no session activity at random time points.
Fixed an issue on a firewall in an HA active/passive configuration where scheduled dynamic updates pushed from Panorama to the managed firewalls failed.
Fixed an issue where the
test security-policy-matchCLI command ignored
source-userwhen matching security policies.
Fixed an issue where you could not log-in to GlobalProtect and resulted in the following error message:
The client certificate is invalid. Please contact your IT administrator.
Fixed an issue on a firewall in an HA active/active configuration where client-bound DHCPv6 packets dropped when you configured the firewall as a DHCPv6 relay agent.
Fixed an issue where IPv6 traffic throughput reduced more than expected after you updated a static ND entry (
) by moving the interface to a different virtual router.
Fixed an intermittent issue where authd CPU usage is higher than expected during RADIUS authentication.
Fixed an issue where stale route entries remained in the FIB after the routes were removed from the routing table when you used a redistribution rule without a profile.
Fixed an issue where after a SAML authentication an incorrect query was sent to the web browser.
Fixed an issue where VoIP traffic dropped when policy-based forwarding (PBF) was configured as a rule.
Fixed an issue where the firewall incorrectly set the FPGA, which caused the dataplane to stop responding.
Fixed an issue on a firewall in an HA active/passive configuration where the Panorama management server enabled the administrator to clone a rule on the passive firewall.
Fixed an issue on a firewall in an HA active/passive configuration where the passive firewall reported a higher number of GlobalProtect user accounts than the active firewall.
PA-200, PA-220, and PA-800 Series firewalls only) Fixed an issue where the
Block IP Listoption, which is not supported, displayed in the administrator role profile (
Fixed an issue on a firewall in an HA active/active configuration where the iBGP peer default route did not get added to the routing table after a reboot of either firewall.
Fixed an issue where the GlobalProtect Gateway web interface did not display the list of previous users.
Fixed an issue where the
Allow matching usernames without domain(
) configuration did not respond without a domain when you used the PAN-OS XML API.
User-ID Agent Setup
Fixed an issue where a firewall incorrectly processed path monitoring, which originated from a NAT firewall on the same network segment.
Fixed an intermittent issue on a firewall where dataplane CPU spikes occurred, which caused an LACP flap.
Fixed an issue where the firewall incorrectly calculated the password expiry time for admin accounts, which caused Panorama to push locked user accounts.
PA-800 Series firewalls only) Fixed an issue on a firewall in an HA active/passive configuration where the HA failover took longer than expected.
Fixed an issue where the firewall did not send emails when you configured the email gateway with an FQDN.
Addressed an issue where in a slow network environment the firewall displayed an error message:
error on line 1 at column 1: document is emptywhen you used an API call to fetch a license even when the auth code was successfully applied. Extremely slow networks may still see this issue.
Fixed an issue where the Panorama management server stopped responding when you upgraded from PAN-OS 8.0.9 to PAN-OS 8.1.3.
Fixed an issue where the WildFire signatures sent Windows Server Updates Services (WSUS) traffic when the virus identification was incorrectly enabled in the ms-sms app definition.
Fixed an issue where the IPSec tunnel restart (
) did not display properly on the web interface.
Fixed an issue where Global Find incorrectly returned the query when there were more than one users or groups listed in the security rule.
Fixed an issue where Detailed Log View (
) did not display the file blocking logs as expected.
Detailed Log View
Fixed an issue where Dynamic Updates did not display expired threat prevention licenses when you tried to install an application from Panorama.
Fixed an intermittent issue on a firewall in an HA active/active configuration where fragmented ICMP and UDP packets dropped from the packet transmission.
Fixed an issue where the firewall used an expired certificate, which caused connecting to Cortex Data Lake to fail.
Fixed an issue on PA-3200 Series firewalls in an HA active/passive configuration where the copper ports of passive firewall were active when the passive link state was set to
Fixed an issue where the API keys did not update after you changed the master key.
Fixed an issue on a firewall where the DNS resolution routed through the dataplane and configured with a service route, stopped responding when the management interface was not configured.
Fixed an issue where the scheduled nightly custom report was not generated or emailed as expected.
Fixed an issue where an invalid Captive Portal authentication policy was successfully pushed to managed firewalls, which caused autocommits to fail.
Fixed an issue where, when you performed a Commit from Panorama to bring a firewall back to sync, the rule order displayed a random distribution instead of reflecting the order configured in Panorama.
Fixed an issue on Panorama M-Series and virtual appliances where scheduled reports generated more than one DNS lookups, which caused inconsistent name resolutions for DNS deployments.
Fixed an issue where you were unable to process Address Group match criteria when the match name included the double quotation ( " ) character.
Fixed an issue where the command-line interface (CLI) displayed an error message when you used a parenthesis character in a Global Protect External Gateway name.
A security-related fix was made to address a denial of service (DoS) vulnerability in PAN-OS Linux Kernel (CVE-2017-8890).
Fixed an issue where the firewall incorrectly denied URL access when the URL filtering profile was configured to alert.
Fixed an issue where GlobalProtect clientless VPN did not get redirected to the application URL when you used Internet Explorer as a web browser.
Fixed an issue where a security rule with an "Any" destination address did not shadow rules with IPv6 destination addresses when you performed a commit or configuration validation.
Fixed an issue on PA-7000 Series firewalls where Encapsulating Security Payload (ESP) sequence numbers were reused when multiple proxy IDs were in use, which caused ESP traffic to drop while you conducted an ESP sequence check.
Fixed an issue where Threats (
) did not display resolved Threat IDs to Threat/Content Names for disabled signatures as expected.
Fixed an issue where an administrator with a custom configuration role could not export custom reports and returned the following error message:
Error enqueuing export job.
Fixed an issue where administrators could not view Managed Collectors (
) web interface.
Fixed an issue on Panorama M-Series and virtual appliances where the commit preview did not display as expected.
Fixed an issue on GlobalProtect Clientless VPN where the URL gets truncated when you exclude the domain from the
rewrite exclude domainlist.
Fixed an issue on VM-Series firewalls where a configuration commit failed due to a reversed bootstrapping process where the configuration was applied before the auth code.
Fixed an issue on Panorama M-Series and virtual appliances where the Group Include List (
) search function did not respond as expected.
Group Include List
Fixed an issue on a firewall where the web interface did not display traffic and unified logs due to a race condition.
Fixed an issue where the log collector mode did not display logs as expected after you rebooted Panorama.
Fixed an intermittent issue where the firewall sent packets incorrectly to an outgoing interface.
Fixed an issue where an internal power status reported as
abnormalcaused the firewall to shutdown.
Fixed an issue where administrators were unable to configure an IP address using templates for HA2 (
) after setting the configuration to
Data Link (HA2)
Ethernetfor Panorama management servers in an HA configuration.
Fixed an issue where scheduled reports did not generate as expected due to a race condition.
Fixed an issue where the firewall intermittently logged incorrect actions for WildFire submissions and reports.
Recommended For You
Recommended videos not found.