PAN-OS 8.1.9 Addressed Issues
PAN-OS® 8.1.9 addressed issues
Fixed an issue on Panorama™ M-Series and WF-500 appliances where administrators were unable to run the
debug software disk-usage aggressive-cleaning enableCLI command and resulted in the following error message:
Server error : Failed to execute op command.
Fixed an issue where after you changed the filter configuration in the
user.src notin 'cns\proxy fullprofile the firewall displayed the following error message:
Unknown user group cns\Proxy Full.
Fixed an issue where an internal path monitoring failure due to a buffer leak caused the firewall to reboot.
Fixed an issue where the firewall incorrectly displayed application dependency warnings (
) after you initiated a commit.
Fixed an issue on firewalls configured with authentication policies where sessions matching an authentication policy did not generate traffic logs as defined in the security policy when sessions were redirected or denied.
Fixed an issue where users were unable to open an app in their browser after they logged in to GlobalProtect™ Clientless VPN until they closed any and all tabs associated with that app and then opened the app a second time. This issue occurred only when an administrator configured a Source User for the Clientless VPN Security policy rule (
Fixed an issue where multiple device group administrators simultaneously enabled configuration locks caused a race condition.
Fixed an issue on Panorama M-Series and virtual appliances where the management server and a process (configd) used higher than expected CPU and memory when you added or deleted a larger than expected number of Security policy rules with an XML API.
Fixed an issue on a VM-Series firewall deployed in Microsoft Azure where packets dropped silently due to a kernel error.
Fixed an issue where the firewall sent truncated URLs to the Captive Portal Redirect message when HTTPS traffic sent through a proxy server was subjected to decryption.
PA-200 firewalls only) Fixed an issue where the report generation default configuration caused an out-of-memory condition.
Fixed an issue where the NSX Manager passed a blank string to Panorama, which caused a null entry into the configuration and commits to fail.
Fixed an issue where the "/opt/pancfg/" partition became full due to a configuration preview operation not responding.
Fixed a rare issue where a race condition occurred between daemons during a tunnel re-key, which caused BGP sessions to drop from Large Scale VPN tunnels. To leverage this fix, you must run the
debug rasmgr delay-nh-updateCLI command.
Fixed an issue where a session created from a predict session went into DISCARD state.
Fixed an issue where you were unable to create a custom log forwarding profile when you configured a filter with the "in" and "not in" configurations (
) and resulted in the following error message:
Invalid filter <Log Forwarding profile name> match-list -> <match list profile-name> -> filter is invalid.
Fixed a rare issue where a commit caused the firewall to stop responding when you enabled flow debug and configured a NAT policy.
Fixed an issue on Panorama M-Series and virtual appliances where, after you upgraded the firewall to PAN-OS® 8.1, commits failed when Panorama is configured to manage shared gateway objects for managed firewalls.
Fixed an issue where all the log collectors did not get queued when you configured more than 32 collector groups.
Fixed an issue where the firewall discarded external dynamic lists after the list was downloaded and a server authentication attempt failure occurred.
Fixed an issue on Panorama M-Series and virtual appliances where, after you upgraded the firewall from PAN-OS 8.0.8 to PAN-OS 8.1.4, commits took longer than expected when you configured the Device Group with large group hierarchies.
Fixed an issue where the firewall created incorrect predict sessions, which caused flow sessions to fail for applications.
PA-7000 Series firewalls only) Fixed an issue where the High Speed Chasis Interconnect (HSCI) link flapped after you rebooted the firewall.
Fixed an issue where the firewall dropped
UpdatePDPContextresponse packets and displayed the following GTP log event:
Fixed an issue where the GlobalProtect gateway did not assign an IP address when the local IP address was a supernet of the GlobalProtect pool.
PA-200 firewalls only) Fixed an issue where the management plane (MP) memory was lower than expected, which caused the MP to restart.
Fixed an issue where an escape ( \ ) character was added to HTTP logs when a log contained a comma.
Fixed an issue on a VM-Series firewall in a high availability (HA) active/passive configuration where the HA1 port flapped and caused a split-brain condition.
Fixed an issue where a predefined report (
blocked credential post) generated reports using the incorrect query builder (
flags has credential-builder), which caused the report to incorrectly display logs for alerts.
Fixed an issue on Panorama M-Series and virtual appliances where a process (configd) stopped responding when a role-based user with privacy settings disabled, viewed a scheduled report that required data anonymization.
Fixed an issue where IPv4 BGP routes were missing from the routing table and FIB after a failover event.
Fixed an issue where you were unable to generate user activity reports when the username included the colon ( : ), ampersand ( & ), and single parenthesis ( ' ) characters.
PA-3200 Series firewall only) Fixed an issue on a firewall in an HA active/active configuration where packets looped due to a higher than expected CPU rate.
PA-3200 Series firewalls only) Fixed a rare software issue that caused the dataplane to restart unexpectedly. To leverage this fix, you must run the
debug dataplane set pow no-desched yesCLI command (increases CPU utilization).
Fixed an issue on the Panorama management server where the
Include Device and Network Templatessetting (
Push to Devices
) was disabled by default and caused your push attempts to fail. With this fix, your push will Include Device and Network Templates by default.
Commit and Push
Fixed an issue on PA-5200 Series firewalls where the dataplane stopped responding when the session table was full.
Fixed an issue where you were unable to save host information profile (HIP) reports due to a folder permission error.
Fixed an issue in Panorama where you were able to push and commit the log forwarding configuration to firewalls that did not support it.
Fixed an issue where you were unable to generate a custom report (
Manage Custom Report
Fixed an issue where an out-of-memory condition caused all IPSec tunnels (which includes IKEv1, IKEv2, and NAT-T) to stop responding.
Fixed an issue where you were unable to establish a GlobalProtect connection on IPv6 and displayed the following error message:
Packet too big due to the firewall MTU value set lower than normalon the neighboring firewall.
Fixed an intermittent issue where heartbeats failed on the management plane (MP), which caused the dataplane to stop responding and displayed the following error message:
Dataplane is down: controlplane exit failure.
Fixed an issue where the firewall and Panorama web interface did not present HSTS headers to your web browser.
Fixed an issue where the firewall dropped HTTPS connections to GlobalProtect and did not send an HTTPS redirect, which caused the web browser to timeout.
Fixed an issue where a log collector settings preference list without an IPv4 address defined, configured an unknown entry and caused connections between log collectors to intermittently bounce.
Fixed an issue on Panorama M-Series and virtual appliances where the Device Group Syslog server profile template allowed a space between the IP address and URL, which caused pushes to firewalls to fail.
Fixed an issue on Panorama M-Series and virtual appliances where the Task Manager web interface did not sort the list of firewalls by name.
Fixed an issue on a VM-Series firewall in an HA active/passive configuration where the passive firewall received buffered packets while in an idle state when the data plane development kit (DPDK) was enabled.
Fixed an intermittent issue where the firewall dropped packets when the policy rule was set to allow during a commit or high availability (HA) sync.
Fixed an issue where the dataplane stopped responding and caused a failover event.
Fixed an issue where, after you upgrade the firewall from PAN-OS 8.0 to PAN-OS 8.1, firewalls configured with the User-ID™ agent and group mapping incorrectly mapped users to groups.
Fixed an issue on GlobalProtect where Security Assertion Markup Language (SAML) authentication failed when you used a macOS operating system.
Fixed an issue on Panorama M-Series and virtual appliances where a partial commit to the running configuration was successful but did not get applied to the configuration when you added a new address object to an existing address group.
Fixed an issue where device administrators were unable to manually upload signature files (
) and the firewall displayed the following error message:
You need superuser privileges to do that.
Fixed an issue on a firewall in a high availability (HA) active/passive configuration where HA1 and HA2 links stopped passing packets, which caused a split-brain condition after an automatic configuration sync.
Fixed an issue on a firewall in an HA active/active configuration where the
show vpn ipsec-saCLI command incorrectly returned an error message:
Server error: An error occurred. See dagger.log for information. when you ran the command on the active secondary firewall.
Fixed an issue where a firewall was unable to establish an SSH session to a private cloud if you used the M-500 appliance interface configuration ethernet1/1 port.
PAN-OS 8.1.7 & 8.1.8 only) Fixed an issue where AUX ports remained in Down state after you upgraded to PAN-OS 8.1.7.
Fixed an issue where the firewall incorrectly forwarded traffic when you configured the ingress interface with a QoS policy and the egress interface as a tunnel.
Fixed an issue where the Panorama web interface took longer than expected to update the Managed Collectors (
Fixed an intermittent issue where the management plane (MP) CPU on Panorama and the manged firewall experience higher than expected usage due to the redistribution of User-ID™ and when more than one user was mapped to a single IP address.
Fixed a memory buffer allocation issue that caused the Session Initiation Protocol (SIP) traffic NAT to stop responding.
Fixed an issue on Panorama M-Series and virtual appliances where you were unable to export threat pcaps generated from Prisma™ Access and the firewall displayed the following error message:
File not found.
Japanese language only) Fixed an issue where the
Management Interface Settings(
) web interfaces incorrectly displayed Telnet as Temperature.
Fixed an issue where you were unable to connect to a syslog server over SSL due to a certificate validation error.
PA-7000 Series firewalls only) Fixed an issue where the Quad Small Form-factor Pluggable (QSFP) port on a 20GQ NPC card unexpectedly entered low power mode and did not link up.
Fixed an issue where the dataplane did not receive enough keep-alive packets as expected, which caused the Syslog server connection to age-out.
Fixed an issue where temporary files generated during preview changes did not get cleared, which caused disk space issues.
Fixed an issue where BGP command output formats did not display consistently across different PAN-OS releases.
Fixed an issue where the FTP data connection was incorrectly matched to the predict session for IPv6 addresses.
PA-5200 Series firewalls only) Fixed an intermittent issue where CRC errors caused traffic issues.
Fixed an issue where you were unable to connect to GlobalProtect when a certificate did not have a common name.
Fixed an issue where the firewall could not send syslogs to the syslog server.
Fixed a log forwarding filter issue where the firewall incorrectly sent logs for policies that were not configured with log forwarding to the syslog server.
Fixed an issue where a commit with an authentication sequence configured was pushed from Panorama to a firewall and caused the firewall's management server to stop responding.
Fixed an issue where the firewall did not send a complete certificate chain when you configure the Windows User-ID Agent as a Syslog Listener.
Fixed an issue where an external dynamic list with an invalid IPv6 address range caused commits to fail.
Fixed an intermittent issue where the Data Filtering (
) and Threat Log (
) did not display file names when you transferred multiple files into a single session.
Fixed an issue on the PA-5220 firewall with Dynamic IP and Port (DIPP) NAT where the number of translated IP addresses could not exceed 3,000 or it caused commits to fail.
Fixed an issue where the firewall stopped enforcing policy after you manually refreshed an External Dynamic List (EDL) that had an invalid IP address or that resided on an unreachable web server.
Recommended For You
Recommended videos not found.