PAN-OS 8.1.9 Addressed Issues

PAN-OS® 8.1.9 addressed issues
Issue ID
Description
WF500-4995
Fixed an issue on Panorama™ M-Series and WF-500 appliances where administrators were unable to run the
debug software disk-usage aggressive-cleaning enable
CLI command and resulted in the following error message:
Server error : Failed to execute op command
.
PAN-118949
Fixed an issue where after you changed the filter configuration in the
user.src notin 'cns\proxy full
profile the firewall displayed the following error message:
Unknown user group cns\Proxy Full
.
PAN-118407
Fixed an issue where an internal path monitoring failure due to a buffer leak caused the firewall to reboot.
PAN-117729
Fixed an issue where the firewall incorrectly displayed application dependency warnings (
Policies
Security
) after you initiated a commit.
PAN-117149
Fixed an issue on firewalls configured with authentication policies where sessions matching an authentication policy did not generate traffic logs as defined in the security policy when sessions were redirected or denied.
PAN-116851
Fixed an issue where users were unable to open an app in their browser after they logged in to GlobalProtect™ Clientless VPN until they closed any and all tabs associated with that app and then opened the app a second time. This issue occurred only when an administrator configured a Source User for the Clientless VPN Security policy rule (
Policies
Security
<GP-VPN-Security-policy-rule>
User
).
PAN-116848
Fixed an issue where multiple device group administrators simultaneously enabled configuration locks caused a race condition.
PAN-116828
Fixed an issue on Panorama M-Series and virtual appliances where the management server and a process (
configd
) used higher than expected CPU and memory when you added or deleted a larger than expected number of Security policy rules with an XML API.
PAN-116613
Fixed an issue on a VM-Series firewall deployed in Microsoft Azure where packets dropped silently due to a kernel error.
PAN-116579
Fixed an issue where the firewall sent truncated URLs to the Captive Portal Redirect message when HTTPS traffic sent through a proxy server was subjected to decryption.
PAN-116069
(
PA-200 firewalls only
) Fixed an issue where the report generation default configuration caused an out-of-memory condition.
PAN-116022
Fixed an issue where the NSX Manager passed a blank string to Panorama, which caused a null entry into the configuration and commits to fail.
PAN-115526
Fixed an issue where a dataplane process (
all_pktproc
) stops responding due to a packet buffer protection feature.
PAN-115494
Fixed an issue where the "/opt/pancfg/" partition became full due to a configuration preview operation not responding.
PAN-115450
Fixed a rare issue where a race condition occurred between daemons during a tunnel re-key, which caused BGP sessions to drop from Large Scale VPN tunnels. To leverage this fix, you must run the
debug rasmgr delay-nh-update
CLI command.
PAN-115415
Fixed an issue where a session created from a predict session went into DISCARD state.
PAN-115379
Fixed an issue where you were unable to create a custom log forwarding profile when you configured a filter with the "in" and "not in" configurations (
Objects
Log Forwarding
Add
Add
Filter
Filter Builder
) and resulted in the following error message:
Invalid filter <Log Forwarding profile name> match-list -> <match list profile-name> -> filter is invalid
.
PAN-115339
Fixed a rare issue where a commit caused the firewall to stop responding when you enabled flow debug and configured a NAT policy.
PAN-114743
Fixed an issue on Panorama M-Series and virtual appliances where, after you upgraded the firewall to PAN-OS® 8.1, commits failed when Panorama is configured to manage shared gateway objects for managed firewalls.
PAN-114607
Fixed an issue where all the log collectors did not get queued when you configured more than 32 collector groups.
PAN-114548
Fixed an issue where the firewall discarded external dynamic lists after the list was downloaded and a server authentication attempt failure occurred.
PAN-114437
Fixed an issue on Panorama M-Series and virtual appliances where, after you upgraded the firewall from PAN-OS 8.0.8 to PAN-OS 8.1.4, commits took longer than expected when you configured the Device Group with large group hierarchies.
PAN-114434
Fixed an issue where the firewall created incorrect predict sessions, which caused flow sessions to fail for applications.
PAN-113971
(
PA-7000 Series firewalls only
) Fixed an issue where the High Speed Chasis Interconnect (HSCI) link flapped after you rebooted the firewall.
PAN-113795
Fixed an issue on a firewall configured with GlobalProtect Clientless VPN where a process (
all_pkts
) stopped responding, which caused the dataplane to restart.
PAN-113775
Fixed an issue where the firewall dropped
UpdatePDPContext
response packets and displayed the following GTP log event:
122113
.
PAN-113631
A security-related fix was made to address a use-after-free (UAF) vulnerability in the Linux kernel (PAN-SA-2019-0017 / CVE-2019-8912).
PAN-113619
Fixed an issue where the GlobalProtect gateway did not assign an IP address when the local IP address was a supernet of the GlobalProtect pool.
PAN-113614
Fixed an issue with a memory leak on Panorama appliances associated with commits that eventually caused an unexpected restart of the configuration (
configd
) process.
PAN-113340
(
PA-200 firewalls only
) Fixed an issue where the management plane (MP) memory was lower than expected, which caused the MP to restart.
PAN-113189
A security-related fix was made to correct log file string-conversion errors that caused parsing issues, which caused the User-ID (
useridd
) process to stop running.
PAN-113046
(
PA-5200 Series firewalls only
) Fixed an issue where a process (
brdagent
) stopped responding, which caused the management plane to stop responding.
PAN-112674
Fixed an issue where an escape ( \ ) character was added to HTTP logs when a log contained a comma.
PAN-112577
Fixed an issue on a VM-Series firewall in a high availability (HA) active/passive configuration where the HA1 port flapped and caused a split-brain condition.
PAN-112446
Fixed an issue where a predefined report (
blocked credential post
) generated reports using the incorrect query builder (
flags has credential-builder
), which caused the report to incorrectly display logs for alerts.
PAN-112319
Fixed an issue where a race condition caused a process (
mgmtsrvr
) to restart with an error message:
Connecting to management server failed
.
PAN-112274
Fixed an issue on Panorama M-Series and virtual appliances where a process (
configd
) stopped responding when a role-based user with privacy settings disabled, viewed a scheduled report that required data anonymization.
PAN-112167
Fixed an issue where IPv4 BGP routes were missing from the routing table and FIB after a failover event.
PAN-111976
Fixed an issue where you were unable to generate user activity reports when the username included the colon ( : ), ampersand ( & ), and single parenthesis ( ' ) characters.
PAN-111930
(
PA-3200 Series firewall only
) Fixed an issue on a firewall in an HA active/active configuration where packets looped due to a higher than expected CPU rate.
PAN-111708
(
PA-3200 Series firewalls only
) Fixed a rare software issue that caused the dataplane to restart unexpectedly. To leverage this fix, you must run the
debug dataplane set pow no-desched yes
CLI command (increases CPU utilization).
PAN-111553
Fixed an issue on the Panorama management server where the
Include Device and Network Templates
setting (
Commit
Push to Devices
Edit Selections
or
Commit
Commit and Push
Edit Selections
) was disabled by default and caused your push attempts to fail. With this fix, your push will Include Device and Network Templates by default.
PAN-111540
Fixed an issue on PA-5200 Series firewalls where the dataplane stopped responding when the session table was full.
PAN-111468
Fixed an issue where you were unable to save host information profile (HIP) reports due to a folder permission error.
PAN-111308
Fixed an issue in Panorama where you were able to push and commit the log forwarding configuration to firewalls that did not support it.
PAN-111286
Fixed an issue where you were unable to generate a custom report (
Monitor
Manage Custom Report
<device-name>
Report Setting
).
PAN-111084
Fixed an issue where an out-of-memory condition caused all IPSec tunnels (which includes IKEv1, IKEv2, and NAT-T) to stop responding.
PAN-110962
Fixed an issue where a process (
all_pktproc
) stopped responding when SSH decryption was enabled, which caused the dataplane to restart.
PAN-110638
Fixed an issue where you were unable to establish a GlobalProtect connection on IPv6 and displayed the following error message:
Packet too big due to the firewall MTU value set lower than normal
on the neighboring firewall.
PAN-110548
Fixed an intermittent issue where heartbeats failed on the management plane (MP), which caused the dataplane to stop responding and displayed the following error message:
Dataplane is down: controlplane exit failure
.
PAN-110168
Fixed an issue where the firewall and Panorama web interface did not present HSTS headers to your web browser.
PAN-109926
Fixed an issue where the firewall dropped HTTPS connections to GlobalProtect and did not send an HTTPS redirect, which caused the web browser to timeout.
PAN-109853
Fixed an issue where a log collector settings preference list without an IPv4 address defined, configured an unknown entry and caused connections between log collectors to intermittently bounce.
PAN-109746
Fixed an issue on Panorama M-Series and virtual appliances where the Device Group Syslog server profile template allowed a space between the IP address and URL, which caused pushes to firewalls to fail.
PAN-109701
Fixed an issue on Panorama M-Series and virtual appliances where the Task Manager web interface did not sort the list of firewalls by name.
PAN-109672
Fixed an issue on a VM-Series firewall in an HA active/passive configuration where the passive firewall received buffered packets while in an idle state when the data plane development kit (DPDK) was enabled.
PAN-109663
Fixed an intermittent issue where the firewall dropped packets when the policy rule was set to allow during a commit or high availability (HA) sync.
PAN-109551
Fixed an issue where group-based policy match stopped responding after a process (
useridd
) restarted.
PAN-109186
Fixed an issue where the dataplane stopped responding and caused a failover event.
PAN-109024
Fixed an issue where, after you upgrade the firewall from PAN-OS 8.0 to PAN-OS 8.1, firewalls configured with the User-ID™ agent and group mapping incorrectly mapped users to groups.
PAN-107677
Fixed an issue on GlobalProtect where Security Assertion Markup Language (SAML) authentication failed when you used a macOS operating system.
PAN-107143
Fixed an issue on Panorama M-Series and virtual appliances where a partial commit to the running configuration was successful but did not get applied to the configuration when you added a new address object to an existing address group.
PAN-107117
Fixed an issue where device administrators were unable to manually upload signature files (
Device
Dynamic Updates
) and the firewall displayed the following error message:
You need superuser privileges to do that
.
PAN-106914
Fixed an issue on a firewall in a high availability (HA) active/passive configuration where HA1 and HA2 links stopped passing packets, which caused a split-brain condition after an automatic configuration sync.
PAN-106543
Fixed an issue on a firewall in an HA active/active configuration where the
show vpn ipsec-sa
CLI command incorrectly returned an error message:
Server error: An error occurred. See dagger.log for information
. when you ran the command on the active secondary firewall.
PAN-106141
Fixed an issue where a firewall was unable to establish an SSH session to a private cloud if you used the M-500 appliance interface configuration ethernet1/1 port.
PAN-106019
Fixed an issue where a process (
routed
) stopped responding when an incomplete command ran in the XML API.
PAN-105737
(
PAN-OS 8.1.7 & 8.1.8 only
) Fixed an issue where AUX ports remained in Down state after you upgraded to PAN-OS 8.1.7.
PAN-104909
Fixed an issue where the firewall incorrectly forwarded traffic when you configured the ingress interface with a QoS policy and the egress interface as a tunnel.
PAN-104515
Fixed an issue where the Panorama web interface took longer than expected to update the Managed Collectors (
Panorama
Managed Collectors
) status.
PAN-104144
Fixed an intermittent issue where the management plane (MP) CPU on Panorama and the manged firewall experience higher than expected usage due to the redistribution of User-ID™ and when more than one user was mapped to a single IP address.
PAN-103847
Fixed a memory buffer allocation issue that caused the Session Initiation Protocol (SIP) traffic NAT to stop responding.
PAN-103656
Fixed an issue on Panorama M-Series and virtual appliances where you were unable to export threat pcaps generated from Prisma™ Access and the firewall displayed the following error message:
File not found
.
PAN-101598
(
Japanese language only
) Fixed an issue where the
Interface Mgmt
(
Network
Network Profiles
Interface Mgmt
) and
Management Interface Settings
(
Device
Setup
Interfaces
Management
) web interfaces incorrectly displayed Telnet as Temperature.
PAN-101215
Fixed an issue where you were unable to connect to a syslog server over SSL due to a certificate validation error.
PAN-100773
(
PA-7000 Series firewalls only
) Fixed an issue where the Quad Small Form-factor Pluggable (QSFP) port on a 20GQ NPC card unexpectedly entered low power mode and did not link up.
PAN-99958
Fixed an issue where the dataplane did not receive enough keep-alive packets as expected, which caused the Syslog server connection to age-out.
PAN-99134
Fixed an issue where temporary files generated during preview changes did not get cleared, which caused disk space issues.
PAN-99016
A security-related fix was made to address the LazyFP state restore vulnerability (PAN-SA-2019-0017 / CVE-2018-3665).
PAN-96827
Fixed an issue where BGP command output formats did not display consistently across different PAN-OS releases.
PAN-96790
Fixed an issue where the FTP data connection was incorrectly matched to the predict session for IPv6 addresses.
PAN-96707
(
PA-5200 Series firewalls only
) Fixed an intermittent issue where CRC errors caused traffic issues.
PAN-96371
Fixed an issue where you were unable to connect to GlobalProtect when a certificate did not have a common name.
PAN-95534
Fixed an issue where the firewall could not send syslogs to the syslog server.
PAN-95072
Fixed a log forwarding filter issue where the firewall incorrectly sent logs for policies that were not configured with log forwarding to the syslog server.
PAN-94279
Fixed an issue where a commit with an authentication sequence configured was pushed from Panorama to a firewall and caused the firewall's management server to stop responding.
PAN-94059
Fixed an issue where the firewall did not send a complete certificate chain when you configure the Windows User-ID Agent as a Syslog Listener.
PAN-91442
Fixed an issue where an external dynamic list with an invalid IPv6 address range caused commits to fail.
PAN-89820
Fixed an intermittent issue where the Data Filtering (
Monitor
Data Filtering
) and Threat Log (
Monitor
Threat
) did not display file names when you transferred multiple files into a single session.
PAN-88987
Fixed an issue on the PA-5220 firewall with Dynamic IP and Port (DIPP) NAT where the number of translated IP addresses could not exceed 3,000 or it caused commits to fail.
PAN-88487
Fixed an issue where the firewall stopped enforcing policy after you manually refreshed an External Dynamic List (EDL) that had an invalid IP address or that resided on an unreachable web server.

Recommended For You