Known Issues Related to PAN-OS 8.1 Releases

List of known issues in the PAN-OS® 8.1 release.
The following list includes known issues specific to PAN-OS® 8.1 releases, which includes known issues specific to Panorama™ and GlobalProtect™, as well as known issues that apply more generally or that are not identified by an issue ID. See also the Known Issues Specific to the WF-500 Appliance.
Issue ID
Description
Upgrading a PA-200 or PA-500 firewall to PAN-OS 8.1 can take 30 to 60 minutes to complete. Ensure uninterrupted power to your firewall throughout the upgrade process.
PAN-OS 8.1.1 introduces a new software integrity check; a failed check results in a critical system log, while a passed check generates an informational system log.
To check for a software integrity check failure, select Monitor > Logs and enter the filter: (severity eq critical) and (eventid eq fips-selftest-integ).
Please contact Palo Alto Networks Support if a device fails a software integrity check.
GPC-2742
If you configure GlobalProtect portals and gateways to use client certificates and LDAP as two factors of authentication, Chromebook endpoints that run Chrome OS 47 or later versions encounter excessive prompts to select a client certificate.
Workaround: To prevent excessive prompts, configure a policy to specify the client certificate in the Google Admin console and deploy that policy to your managed Chromebooks:
  1. Log in to the GoogleAdminconsole and select Device managementChrome managementUser settings.
  2. In the Client Certificates section, enter the following URL pattern to Automatically Select Client Certificate for These Sites:
    {"pattern": "https://[*.]", "filter":{}}
  3. Click Save. The Google Admin console deploys the policy to all devices within a few minutes.
PLUG-380
When you rename a device group, template, or template stack in Panorama that is part of a VMware NSX service definition, the new name is not reflected in NSX Manager. Therefore, any ESXi hosts that you add to a vSphere cluster are not added to the correct device group, template, or template stack and your Security policy is not pushed to VM-Series firewalls that you deploy after you rename those objects. There is no impact to existing VM-Series firewalls.
PAN-116436
This issue is now resolved. SeePAN-OS 8.1.8 Addressed Issues; See PAN-94475.
(Panorama virtual appliances only) There is a disk space calculation error that eventually leads to an erroneous opt/panlogs/ partition full condition and causes a process (CDB) to stop responding.
PAN-116084
This issue is now resolved. SeePAN-OS 8.1.8 Addressed Issues.
(PAN-OS 8.1.7 only) VM-Series firewalls on Microsoft Azure deployed using MMAP drops traffic when the firewall experiences heavy traffic.
PAN-114041
(Panorama™ M-Series and virtual appliances only) There is a rare issue where, as a result of known issue PAN-107636, new Elasticsearch (ES) indices are empty, which prevents the web interface from displaying logs for the days associated with those indices. The root cause of this issue is addressed in PAN-OS 8.1.7; however, if you cannot see logs for a given day, contact your Support team to get help recovering them.
PAN-113614
There is an issue with a memory leak associated with commits on Panorama appliances that eventually causes an unexpected restart of the configuration (configd) process.
PAN-112814
This issue is now resolved. SeePAN-OS 8.1.8 Addressed Issues.
(PAN-OS 8.1.6 and later releases only) H.323-based calls lose audio when the predicted H.245 session cannot convert to Active status, which causes the firewall to incorrectly drop H.245 traffic.
PAN-112428
This issue is now resolved. SeePAN-OS 8.1.7 Addressed Issues.
If you use Panorama running PAN-OS 8.1.6 to manage a WildFire appliance that is running PAN-OS 8.1.5 or an earlier PAN-OS 8.1. release, autocommits will intermittently fail and Panorama will stop displaying device groups.
Workaround: If you use Panorama to manage any WildFire appliances running a PAN-OS 8.1 release, upgrade those WildFire appliances to PAN-OS 8.1.6 before you upgrade Panorama to PAN-OS 8.1.6. If you already upgraded Panorama to PAN-OS 8.1.6, then upgrade all PAN-OS 8.1 WildFire appliances to PAN-OS 8.1.6, as well, and then reboot Panorama.
PAN-111928
Invalid configuration errors are not displayed as expected when you revert a Panorama management server configuration.
Workaround: After you revert the Panorama configuration, Commit (CommitCommit to Panorama) the reverted configuration to display the invalid configuration errors.
PAN-111866
This issue is now resolved. SeePAN-OS 8.1.7 Addressed Issues.
The push scope selection on the Panorama web interface displays incorrectly even though the commit scope displays as expected. This issue occurs when one administrator makes configuration changes to separate device groups or templates that affect multiple firewalls and a different administrator attempts to push those changes.
Workaround: Perform one of the following tasks.
  • Initiate a Commit to Panorama operation followed by a Push to Devices operation for the modified device group and template configurations.
  • Manually select the devices that belong to the modified device group and template configurations.
PAN-111729
If you disable DPDK mode and enable it again, you must reboot the firewall immediately.
PAN-111708
(PA-3200 Series firewalls only) There is a rare issue where a software issue causes the dataplane to restart unexpectedly.
PAN-111670
Tagged VLAN traffic fails when sent through an SR-IOV adapter.
PAN-111553
On the Panorama management server, the Include Device and Network Templates setting is disabled by default when you attempt to push changes to managed devices, which causes your push to fail.
Workaround: Before you commit and push the configuration changes from Panorama to your managed devices, edit the push scope (CommitPush to DevicesEdit Selections or CommitCommit and PushEdit Selections) to Include Device and Network Templates.
PAN-109759
This issue is now resolved. SeePAN-OS 8.1.8 Addressed Issues.
The firewall does not generate a notification for the GlobalProtect client when the firewall denies an unencrypted TLS session due to an authentication policy match.
PAN-109594
This issue is now resolved. SeePAN-OS 8.1.6 Addressed Issues.
(HA configurations only) The dataplane restarts when an IPsec rekey event occurs and causes a tunnel process (tund) failure when one—but not both—HA peers is running PAN-OS 8.0.14 or PAN-OS 8.1.5.
Workaround: Temporarily modify the IKE phase 2 lifetime for both peers (NetworkNetwork ProfilesIPsec Crypto) to increase the interval between rekey events (default is one hour) to avoid a rekey event before you complete the upgrade on the second peer. Alternatively, remove the HA configuration, upgrade both firewalls, and then restore the HA configuration.
PAN-109526
The system log does not display the URL for CRL files correctly, the URLs are displayed with encoded characters.
PAN-108805
This issue is now resolved. SeePAN-OS 8.1.5 Addressed Issues.
(PA-3250 and PA-3260 firewalls only) There is a rare issue with deterministic finite automaton (DFA) signature matching in PAN-OS 8.1.2 and later releases that causes the firewall to stop responding when using hardware-based DFA scanning (default).
Workaround: In PAN-OS 8.1.5, you can use the following CLI commands to switch to software-based DFA scanning:
  • set system setting dfa-mode [hw-dfa|sw-dfa]—Switch between DFA scanning options (persistent across restarts and does not require a reboot).
  • set system setting dfa-mode-default—Restore the default DFA setting.
  • show system setting dfa-mode—Show the current DFA scanning configuration.
PAN-107636
This issue is now resolved. SeePAN-OS 8.1.7 Addressed Issues.
(Panorama M-Series and virtual appliances only) There is a rare issue where the purge script does not remove the oldest Elasticsearch (ES) indices to make room for new ones as expected when the appliance reaches maximum capacity. This prevents the web interface from displaying any logs for the days associated with those new ES indices (see known issue PAN-114041) because those indices are empty (the appliances cannot read or write to them). If you experience this issue, contact your Support team for assistance.
PAN-107449
This issue is now resolved. SeePAN-OS 8.1.5 Addressed Issues.
(PAN-OS 8.1.4 only) Firewalls fail to establish IKE phase 1 or phase 2 when you specify Diffie-Hellman (DH) group1.
Workaround: Specify a DH group other than group1.
PAN-107271
This issue is now resolved. SeePAN-OS 8.1.4-h2 Addressed Issues.
(PA-3200 Series firewalls running PAN-OS 8.1.4 in an HA configuration only) The physical link for the HA1-B (backup) port does not function as expected, which means you cannot use this port as an HA1 backup interface when running PAN-OS 8.1.4.
PAN-106989
There is a display-only issue on Panorama that results in a commit failed status for Template Last Commit State (PanoramaManaged DevicesSummary).
Workaround: Push templates to managed devices.
PAN-106675
After upgrading the Panorama management server to PAN-OS 8.1 or a later release, predefined reports do not display a list of top attackers.
Workaround: Create new threat summary reports (MonitorPDF ReportsManage PDF Summary) containing the top attackers to mimic the predefined reports.
PAN-105737
(PAN-OS 8.1.7 and PAN-OS 8.1.8 only) If you use the AUX 1 or AUX 2 interface and you do not configure an IP address, network mask, and default gateway for the interface, the interface will not come up when you upgrade the firewall to PAN-OS 8.1.7. The most common use of AUX interfaces is to configure AUX ports as HA1 and HA1 Backup interfaces for fiber connections on PA-5200 Series firewalls in an HA configuration.
Workaround: To avoid a split-brain scenario in HA configurations as a result of this issue, configure a default gateway on at least one of the AUX interfaces.
PAN-105210
(Panorama in FIPS mode only when managing non-FIPS firewalls) You cannot configure a GlobalProtect portal on Panorama in FIPS mode when managing a non-FIPS firewall. If you attempt to do so, you will receive the following error message: agent-user-override-key unexpected here Portal_fips.
PAN-103276
Adding a disk to a Panorama 8.1 virtual appliance on VMware ESXi 6.5 update1 causes the Panorama virtual appliance and host web client to become unresponsive.
Workaround: Upgrade the ESXi host to ESXi 6.5 update2 and add the disk again.
PAN-102828
(Panorama plugins) When you use the AND/OR boolean operators to define the match criteria for Dynamic Address Groups on Panorama, the boolean operators do not function properly. The member IP addresses are not included in the address group as expected.
PAN-102140
This issue is now resolved. SeePAN-OS 8.1.4 Addressed Issues.
Extended Authentication (X-Auth) clients intermittently fail to establish an IPSec tunnel to GlobalProtect gateways.
PAN-101819
This issue is now resolved. SeePAN-OS 8.1.5 Addressed Issues.
The Panorama Controller does not display all commit-all jobs for Panorama Nodes (PanoramaInterconnectTasks) and the Panorama Controller does not push those missing jobs when you Push to Devices if the associated Panorama Node is running a PAN-OS 8.1 release.
PAN-101688
(Panorama plugins) The IP address-to-tag mapping information registered on a firewall or virtual system is not deleted when you remove the firewall or virtual system from a Device Group.
Workaround: Log in to the CLI on the firewall and enter the following command to unregister the IP address-to-tag mappings: debug object registered-ip clear all.
PAN-100686
An invalid public key is intermittently applied to the administrator account when deploying a VM-Series firewall in Google Cloud using the Google web interface.
Workaround: The administrator must log in to the firewall via SSH with a valid private key using the ssh -i private-key-file admin@VM command. Then, from the CLI, remove the invalid public key and add a password for the admin Profile using the following configuration commands from the CLI to enable successful commits:
# delete
mgt-config users admin public-key
Code copied to clipboard
Unable to copy due to lack of browser support.
# set
mgt-config users admin password
Code copied to clipboard
Unable to copy due to lack of browser support.
# commit
Code copied to clipboard
Unable to copy due to lack of browser support.
PAN-100244
This issue is now resolved. SeePAN-OS 8.1.5 Addressed Issues.
There is a rare issue where a failed commit or commit validation followed by a non-user-committed event (such as an FQDN refresh, an external dynamic list refresh, or an antivirus update) results in an unexpected change to the configuration that causes the firewall to drop traffic.
Workaround: Perform a successful commit immediately after you experience this issue. Alternatively, reload an earlier successfully-committed configuration and manually refresh the FQDN list.
PAN-100154
(PAN-OS 8.1.3 and later PAN-OS 8.1 releases only) The default static route always becomes the active route and takes precedence over a DHCP auto-created default route that is pointing to the same gateway regardless of the metrics or order of installation. Thus, when the system has both a DHCP auto-created default route and a manually configured default static route pointing to the same gateway, the firewall always installs the default static route in the FIB.
Workaround: Set the Default Route Metric in the web interface DHCP Client configuration (NetworkInterfaces{Ethernet | VLAN}<interface>IPv4).
PAN-99924
This issue is now resolved. SeePAN-OS 8.1.6 Addressed Issues.
Fixed an issue where the Panorama management server web and command line interface (CLI) stopped responding after a partial configuration load (PanoramaSetupOperations).
PAN-99084
(HA configurations running PAN-OS 8.0.9 or a later PAN-OS release) If you disable the HA configuration sync option (enabled by default), User-ID data does not sync as expected between HA peers.
Workaround: Re-Enable Config Sync (DeviceHigh AvailabilityGeneralSetup settings).
PAN-98735
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
Upgrading a Panorama management server on Microsoft Azure from PAN-OS 8.1.0 to PAN-OS 8.1.1 or PAN-OS 8.1.2 results in an autocommit failure.
Workaround: Before you upgrade to PAN-OS 8.1.1 or PAN-OS 8.1.2, export your Panorama 8.1.0 configuration. Then upgrade the Panorama management server and, when finished, import your exported configuration.
Alternatively, you can export the Panorama 8.1.0 configuration, deploy a new instance of Panorama using the 8.1.2 image on the Azure marketplace, and then import and reload the exported configuration.
If you decide to launch a new Panorama 8.1.2 VM through the Azure marketplace, the web interface will display the image as PAN-OS8.1.2-h4.
PAN-97848
Panorama on KVM deploys in Legacy mode instead of Management Only mode even when meeting the minimum resource requirements for Management Only mode.
Workaround: After you successfully deploy Panorama on KVM, change to Management Only mode.
PAN-97757
GlobalProtect authentication fails with an Invalid username/password error (because the user is not found in Allow List) after you enable GlobalProtect authentication cookies and add a RADIUS group to the Allow List of the authentication profile used to authenticate to GlobalProtect.
Workaround: Disable GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve user group from RADIUS in the authentication profile and configure group mapping from Active Directory (AD) through LDAP.
PAN-97561
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
Panorama appliances running PAN-OS 8.1.2 cannot connect to the Logging Service:
  • When you deploy a Panorama 8.1.2 virtual appliance, Panorama is unable to connect to the Logging Service and firewalls are unable to forward logs to the Logging Service.
  • If you upgrade a Panorama virtual appliance with Logging Service enabled to PAN-OS 8.1.2, both Panorama and the firewalls will continue to connect to the Logging Service but will not display information about Logging Services instances when you run the request logging-service-forwarding customerinfo fetch CLI command.
PAN-97524
(Panorama management server only) The Security Zone and Virtual System columns (Network tab) display None after a Device Group and Template administrator with read-only privileges performs a context switch.
PAN-96985
The request shutdown system command does not shut down the Panorama management server.
PAN-96960
You cannot restart or shutdown a Panorama on KVM from the Virtual-manager console or virsch CLI.
PAN-96813
The GlobalProtect gateway ignores the Enable X-Auth Support setting when you enable or disable it through the firewall web interface (NetworkGlobalProtectGateways<gateway>AgentTunnel Settings).
Workaround: Enable or disable X-Auth support by running the set network tunnel global-protect-gateway <gateway> ipsec third-party-client rekey-noauth {yes | no} configuration mode CLI command.
PAN-96734
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
The configuration daemon (configd) stops responding during a partial revert operation when reverting an interface configuration.
PAN-96587
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
PA-7000 Series and PA-5200 Series firewalls intermittently fail to forward logs to Log Collectors or the Logging Service due to DNS resolution failure for the FQDNs of those log receivers.
Workaround: On the firewall, commit a configuration change or run the debug software restart process log-receiver CLI command.
PAN-96572
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
After end users successfully authenticate for access to a service or application, their web browsers briefly display a page indicating that authentication completed and then they are redirected to an unknown URL that the user did not specify.
PAN-96446
A firewall that is not included in a Collector Group fails to generate a system log if logs are dropped when forwarded to a Panorama management server that is running in Management Only mode.
PAN-96113
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
In a deployment where the firewall connects to a Border Gateway Protocol (BGP) peer that advertises a route for which the next hop is not in the same subnetwork as the BGP peer interface, the show routing protocol bgp rib-out CLI command does not display advertised routes that the firewall sent to the BGP peer.
Workaround: Move the next hop to the same subnetwork as the BGP peer interface.
PAN-95999
This issue is now resolved. SeePAN-OS 8.1.4 Addressed Issues.
Firewalls in an HA active/active configuration with a default session setup and owner configuration drop packets in a GlobalProtect VPN tunnel that uses a floating IP address.
PAN-95895
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
Firewalls that collect port-to-username mappings from Terminal Services agents doesn't enforce user-based policies correctly because the dataplane has incorrect primary-to-alternative-username mappings even after you clear the User-ID cache.
PAN-95773
On VM-Series firewalls that have Data Plane Development Kit (DPDK) enabled and that use the i40e network interface card (NIC), the show session info CLI command displays an inaccurate throughput and packet rate.
Workaround: Disable DPDK by running the set system setting dpdk-pkt-io off CLI command.
PAN-95736
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
The mprelay process stops responding when a commit occurs while the firewall is identifying flows that need a NetFlow update.
PAN-95717
After 30,000 or more end users log in to the GlobalProtect gateway within a two- to three-hour period, the firewall web interface responds slowly, commits take longer than expected or intermittently fail, and Tech Support File generation times out and fails.
PAN-95602
In a deployment where a Log Collector connects to Panorama management servers in an HA configuration, after you switch the Log Collector appliance to Panorama mode, commit operations fail on the appliance.
Workaround: Remove the following node from the running-config.xml file on the Log Collector before switching it to Panorama mode: devices/entry[@name='localhost.localdomain']/deviceconfig/system/panorama-server-2.
PAN-95513
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues; fix requires the VMware NSX 2.0.4 or later plugin.
On the Panorama management server, selecting additional target firewalls for a shared policy rule clears any existing firewall selections for that rule (PanoramaPolicies<policy_type>{Pre Rules | Post Rules | Default Rules}Target).
PAN-95511
The name for an address object, address group, or an external dynamic list must be unique. Duplicate names for these objects can result in unexpected behavior when you reference the object in a policy rule.
PAN-95445
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues; fix requires the VMware NSX 2.0.4 or later plugin.
VM-Series firewalls for NSX and firewalls in an NSX notify group (PanoramaVMware NSXNotify Group) briefly drop traffic while receiving dynamic address updates after the primary Panorama in an HA configuration fails over.
PAN-95443
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
A VM-Series firewall on KVM in DPDK mode doesn't receive traffic after you configure it to use the i40e single-root input/output virtualization (SR-IOV) virtual function (VF).
PAN-95197
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
Mobile endpoints that use GPRS Tunneling Protocol (GTP) lose traffic and have to reconnect because the firewall drops the response message that a Gateway GPRS support node (GGSN) sends for a second Packet Data Protocol (PDP) context update.
PAN-95028
For administrator accounts that you created in PAN-OS 8.0.8 and earlier releases, the firewall does not apply password profile settings (DevicePassword Profiles) until after you upgrade to PAN-OS 8.0.9 or a later release and then only after you modify the account passwords. (Administrator accounts that you create in PAN-OS 8.0.9 or a later release do not require you to change the passwords to apply password profile settings.)
PAN-94966
After you delete disconnected and connected Terminal Server (TS) agents in the same operation, the firewall still displays the IP address-to-port-user mappings (show user ip-port-user-mapping CLI command) for the disconnected TS agents you deleted (DeviceUser IdentificationTerminal Services Agents).
Workaround: Do not delete both disconnected and connected TS agents in the same operation.
PAN-94917
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
On Panorama Log Collectors, the show system masterkey-properties CLI command does not display the master key lifetime and reminder settings.
PAN-94864
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
A firewall receiving IP addresses via DHCP fails to resolve FQDN objects to an IP address.
PAN-94853
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
Mobile endpoints that use GPRS Tunneling Protocol (GTP) lose GTP-U traffic because the firewall drops all GTP-U packets as packets without sessions after receiving two GTP requests with the same tunnel endpoint identifiers (TEIDs) and IP addresses.
PAN-94846
When DPDK is enabled on the VM-Series firewall with i40e virtual function (VF) driver, the VF does not detect the link status of the physical link. The VF link status remains up, regardless of changes to the physical link state.
PAN-94777
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
A 500 Internal Server error occurs for traffic that matches a Security policy rule with a URL Filtering profile that specifies a Continue action (ObjectsSecurity ProfilesURL Filtering) because the firewall does not treat the API keys as binary strings.
Workaround: Reboot the firewall.
PAN-94452
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
The firewall records GPRS Tunneling Protocol (GTP) packets multiple times in firewall-stage packet captures (PCAPs).
PAN-94402
Upgrading firewalls from PAN-OS 8.0 to 8.1 causes the loss of user mapping information and therefore disrupts user-based policies in the following HA configurations:
  • Active/active (in this example, the primary/secondary peers are firewall1/firewall2)—During the period after you upgrade firewall1 to PAN-OS 8.1 but before you upgrade firewall2, firewall1 loses user mapping information. When you finish upgrading both firewalls to PAN-OS 8.1, HA synchronization restores the lost mapping information on firewall1.
  • Active/passive (in this example, the active/passive peers are firewall1/firewall2)—After you upgrade firewall2 to PAN-OS 8.1 but before you upgrade firewall1, firewall2 loses user mapping information but does not enforce policies because it is still in a passive state. However, after you trigger failover by suspending firewall1 (in anticipation of upgrading it), firewall2 becomes the active peer and fails to enforce user-based policies because its mapping information is still missing. After you then upgrade firewall1 and trigger failback, firewall1 resumes enforcing policy and HA synchronization ensures the mapping information is complete on both firewalls.
In both configurations, whichever firewall is missing user mapping information also cannot collect new user mappings through the PAN-OS XML API until you finish upgrading both HA peers.
PAN-94382
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
On the Panorama management server, the Task Manager displays Completed status immediately after you initiate a push operation to firewalls (Commit all) even though the push operation is still in progress.
PAN-94290
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
(HA active/active configuration only) Fragmented packets are dropped when traversing a firewall.
PAN-94278
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
A Panorama Collector Group forwards Threat and WildFire Submission logs to the wrong external server after you configure match list profiles with the same name for both log types (PanoramaCollector Groups<Collector_Group>Collector Log Forwarding{Threat | WildFire}<match_list_profile>).
Workaround: Configure match list profiles with different names for Threat and WildFire Submission logs.
PAN-94236
This issue is now resolved. SeePAN-OS 8.1.4 Addressed Issues.
When the file-forwarding queue limit is reached, additional files fail to upload to the WildFire cloud. However, these files are included in the WildFire log with a status of offset mismatch.
PAN-94187
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
The firewall does not apply tag-based matching rules for dynamic address groups unless you enclose the tag names with single quotes ('<tag_name>') in the matching rules (ObjectsAddress Groups<address_group>).
PAN-94167
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
Firewalls randomly retain IP address-to-username mappings even after receiving information via User-ID Redistribution that the mapping was deleted or expired.
PAN-94135
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
Device monitoring does not work on the Panorama management server.
Workaround: To enable Panorama to receive device monitoring information from firewalls running PAN-OS 8.1, run the monitoring cfg-send device <device_serial_number> CLI command on Panorama.
PAN-94023
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
The request system external-list show type ip name <EDL_name> CLI command does not display external dynamic list entries after you restart the management server (mgmtsrvr) process.
PAN-93968
The firewall and Panorama web interfaces display vulnerability threat IDs that are not available in PAN-OS 8.1 releases (ObjectsSecurity ProfilesVulnerability Protection<profile>Exceptions). To confirm whether a particular threat ID is available in your release, monitor the release notes for each new Applications and Threats content update or check the Palo Alto Networks Threat Vault to see the minimum PAN-OS release version for a threat signature.
PAN-93937
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
The management server process (mgmtsrvr) on the firewall restarts whenever you push configurations from the Panorama management server.
PAN-93930
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
When you enable SSL decryption on a firewall, decryption errors cause a process (all_pktproc) to stop responding and causes the dataplane to restart.
PAN-93889
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
The Panorama management server generates high-severity System logs with the message Syslog connection established to server after you configure Traps log ingestion (PanoramaLog Ingestion Profile) for forwarding to a syslog server (PanoramaServer ProfilesSyslog) and commit configuration changes (CommitCommit to Panorama).
Workaround: Disable Traps log ingestion.
PAN-93865
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
The GlobalProtect agent can't split tunnel applications based on the destination domain because the Include Domain and Exclude Domain lists are not pushed to the agent after the user establishes the GlobalProtect connection (NetworkGlobalProtectGateways<gateway-config>AgentClient Settings<client-setting-config>Split TunnelDomain and Application).
In addition, the GlobalProtect agent can't include applications in the VPN tunnel based on the application process name because the Include Client Application Process Name list is not pushed to the agent after the user establishes the GlobalProtect connection.
PAN-93864
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
The password field does not display in the GlobalProtect portal login dialog if you attach the certificate profile to the portal configuration.
Workaround: Remove the certificate profile from the portal configuration or set the username field to None in the certificate profile.
PAN-93842
The logging status of a Panorama Log Collector deployed on AWS or Azure displays as disconnected when you configure the ethernet1/1 to ethernet1/5 interfaces for log collection (PanoramaManaged CollectorsInterfaces). This results in firewalls not sending logs to the Log Collector.
Workaround: Configure the management (MGT) interface for log collection.
PAN-93755
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
SSL decrypted traffic fails after you Enforce Symmetric Return in Policy Based Forwarding (PBF) policy rules (PoliciesPolicy Based Forwarding).
PAN-93753
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
High log rates cause disk space on PA-200 firewalls to reach maximum capacity.
PAN-93705
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
Configuring additional interfaces (such as ethernet1/1 or ethernet1/2) on the Panorama management server in Management Only mode causes an attempt to create a local Log Collector when you commit the configuration (PanoramaSetupInterfaces). This will cause the commit to fail because a local Log Collector is not supported on a Panorama management sever in Management Only mode.
PAN-93640
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
On firewalls, the Log Collector preference list displays the IP address of a Panorama Log Collector deployed on AWS as unknown if the interface (ethernet1/1 to ethernet1/5) used for sending logs does not have a public IP address configured and you push configurations to the Collector Group.
Workaround: Configure the management (MGT) interface for log collection.
PAN-93607
When you configure a VM-500 firewall with an SCTP Protection profile (ObjectsSecurity ProfilesSCTP Protection) and you try to add the profile to an existing Security Profile Group (ObjectsSecurity Profile Groups), the Security Profile Group doesn’t list the SCTP Protection profile in its drop-down list of available profiles.
Workaround: Create a new Security Profile Group and select the SCTP Protection profile from there.
PAN-93532
When you configure a firewall running PAN-OS 8.1 as a Thales HSM client, the web interface on the firewall displays the Thales server status as Not Authenticated, even though the HSM state is up (DeviceSetupHSM).
PAN-93522
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
On firewalls in an HA configuration, traffic is disrupted because the dataplane restarts unexpectedly when the firewall concurrently processes HA messages and packets for the same session. This issue applies to all firewall models except the PA-200 and VM-50 firewalls.
PAN-93430
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
The firewall web interface doesn't display Host Information Profile (HIP) information in HIP Match logs for end users who have Microsoft-supported special characters in their domains or usernames.
PAN-93410
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
PA-5200 Series firewalls send logs to the passive or suspended Panorama virtual appliance in Legacy mode in an HA configuration.
Workaround: On the active Panorama, run the request log-fwd-ctrl device <firewall_serial_number> action start CLI command, where <firewall_serial_number> is the serial number of the firewall from which you want to send logs to Panorama.
PAN-93318
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
Firewall CPU usage reaches 100 per cent due to SNMP polling for logical interfaces based on updates to the Link Layer Discovery Protocol (LLDP) MIB (LLDP-V2-MIB.my).
Workaround: Restart the snmpd process by running the debug software restart process snmp CLI command. Note that restarting snmpd reduces the CPU usage to allow other operations, but does not prevent the issue from recurring the next time SNMP polling occurs for the LLDP-V2-MIB.my MIB.
PAN-93233
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
PA-7000 Series firewalls cause slow traffic over IPSec VPN tunnels when the tunnel session and inner traffic session are on different dataplanes because the firewalls reorder TCP segments during IPSec encryption.
Workaround: Keep the tunnel session and inner traffic session on the same dataplane. To determine which dataplane the tunnel session uses, first run the show vpn tunnel name <tunnel_name> CLI command to see the tunnel identifier, and then run the show vpn flow tunnel-id <tunnel_id> command to display the dataplane (owner cpuid). To force the inner traffic session onto the same dataplane, run the set session distribution-policy fixed <dataplane>command.
PAN-93207
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
The firewall reports the incorrect hostname when responding to SNMP get requests.
PAN-93193
The memory-optimized VM-50 Lite intermittently performs slowly and stops processing traffic when memory utilization is critically high. To prevent this issue, make sure that you do not:
  • Switch to the firewall Context on the Panorama management server.
  • Commit changes when a dynamic update is being installed.
  • Generate a custom report when a dynamic update is being installed.
  • Generate custom reports during a commit.
Workaround: When the firewall performs slowly, or you see a critical System log for memory utilization, wait for 5 minutes and then manually reboot the firewall.
Use the Task Manager to verify that you are not performing memory intensive tasks such as installing dynamic updates, committing changes or generating reports, at the same time, on the firewall.
PAN-93184
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
(VM-50 Lite firewalls only) There are intermittent instances of wild-fire-authfaileddueto sslerror 58 in the system log due to management plane out-of-memory errors when the varcvr process attempts to register to the cloud.
PAN-93090
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
When configuring a Google Cloud Platform (GCP) instance to assign an L3 DHCP interface to ethernet1/2, the GCP DHCP Server takes 30-50 seconds to respond to the DHCP discover request. This delay causes DHCP IP assignments to fail.
Workaround: To bypass the need to wait for the DHCP response, set the firewall interface to match the static IP address that GCP assigned to the network interface at creation. In the GCP console, this address is in the “Primary internal IP” column.
PAN-93072
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
For hardware firewalls that are decrypting SSL traffic, multiple commits in a short period of time can cause the firewall to become unresponsive. This issue applies only to a hardware firewall with SSL decryption enabled; it does not apply to virtual firewalls.
PAN-93005
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
The firewall generates System logs with high severity for Dataplane under severe load conditions that do not affect traffic.
PAN-92892
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
(VM-50 Lite firewalls only) There are intermittent instances of Failed to back up PAN-DB in the system log due to management plane out-of-memory errors when the devsrvr process attempts to run an md5 checksum.
PAN-92858
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
The Panorama management server cannot generate reports, and the ACC page intermittently becomes unresponsive when too many heartbeats are missed because report IDs greater than 65535 are never cleared.
PAN-92678
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
On Panorama management servers in an HA configuration, after failover causes the secondary HA peer to become active, it fails to deploy scheduled dynamic updates to Log Collectors and firewalls.
Workaround: Manually deploy the dynamic updates (PanoramaDevice DeploymentDynamic Updates).
PAN-92604
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
A Panorama Collector Group does not forward logs to some external servers after you configure multiple server profiles (PanoramaCollector Groups<Collector_Group>Collector Log Forwarding).
PAN-92564
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
A small percentage of writable third-party SFP transceivers (not purchased from Palo Alto Networks®) can stop working or experience other issues after you upgrade the firewall to which the SFPs are connected to a PAN-OS 8.0 or PAN-OS 8.1 release. If your firewall uses third-party SFPs, Palo Alto Networks recommends that you do not upgrade to a PAN-OS 8.0 or PAN-OS 8.1 release until we release maintenance releases that address this issue. Additionally, after we provide releases with this fix and you begin the upgrade process, you must not reboot the firewall after you download and install the PAN-OS 8.0 or PAN-OS 8.1 base image until after you download and install a maintenance release with this fix.
For additional details, upgrade considerations, and instructions for upgrading your firewalls, refer to the PAN-OS 8.0 upgrade information or the PAN-OS 8.1 upgrade information, as appropriate.
PAN-92487
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
Enabling jumbo frames (DeviceSetupSession) reduces throughput because:
  • The firewalls hardcode the maximum segment size (TCP MSS) within TCP SYN packets and in server-to-client traffic at 1,460 bytes when packets exceed that size.
  • PA-7000 Series and PA-5200 Series firewalls hardcode the maximum transmission unit (MTU) at 1,500 bytes for the encapsulation stage when tunneled clear-text traffic and the originating tunnel session reside on different dataplanes.
PAN-92366
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
PA-5200 Series firewalls in an active/passive HA configuration drop Bidirectional Forwarding Detection (BFD) sessions when the passive firewall is in an initialization state after you reboot it.
Workaround: On the passive firewall, set the Passive Link State to Shutdown (DeviceHigh AvailabilityGeneralActive/Passive Settings).
PAN-92334
This issue is now resolved. SeePAN-OS 8.1.4 Addressed Issues.
(PAN-OS 8.1.1 through PAN-OS 8.1.3 only) The firewall fails to forward correlation events if you do not first configure a log forwarding profile for correlated events.
Workaround: Configure log forwarding for correlated events (DeviceLog SettingsCorrelation).
PAN-92163
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
Firewalls in an active/passive HA configuration take longer than expected to fail over after you configure them to redistribute routes between an interior gateway protocol (IGP) and Border Gateway Protocol (BGP).
PAN-92155
You cannot configure an IP address using templates for HA2 (DeviceHigh AvailabilityData Link (HA2)) when set to IP or Ethernet for Panorama management servers in an HA configuration.
Workaround: Configure HA2 in the CLI using the following commands:
> configure
# set
template <template_name> config
deviceconfig high-availability interface ha2 ip-address<IP_address>
PAN-92152
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
The firewall web interface displays a blank DeviceLicenses page when the customer has 10 x 5 phone support.
PAN-92149
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
On PA-3250 and PA-3260 firewalls, the hardware signature match engine is disabled and the PAN-OS software performs signature matching instead, resulting in a ten percent degradation in threat detection performance.
PAN-92105
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
Panorama Log Collectors do not receive some firewall logs and take longer than expected to receive all logs when the Collector Group has spaces in its name.
Workaround: Configure Collector Group names without spaces.
PAN-92017
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
Log Collectors that belong to a collector group with a space in its name fail to fully connect to one another, which affects log visibility and logging performance.
Workaround: Configure Collector Group names without spaces.
PAN-91946
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
The Panorama management server intermittently does not refresh data about the health of managed firewalls (PanoramaManaged DevicesHealth). This results in some session statistics being displayed as 0.
PAN-91809
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
After you reboot the VM-Series firewall for Azure, some interfaces configured as DHCP clients intermittently do not receive DHCP-assigned IP addresses.
Workaround: First, configure static IP addresses on the affected interfaces on the firewall and commit the change. Then enable DHCP on the same interfaces and commit again. When the commit finishes, the interfaces will receive DHCP-assigned IP addresses.
PAN-91802
On a VM-Series firewall, the clear session all CLI command does not clear GTP sessions.
PAN-91776
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
End users cannot authenticate to GlobalProtect after you specify a User Domain with Microsoft-supported symbols such as the dollar symbol ($) in the authentication profile (DeviceAuthentication Profile).
PAN-91689
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
The Panorama management server removes address objects and, in the Network tab settings and NAT policy rules, uses the associated IP address values without reference to the address objects before pushing configurations to firewalls.
PAN-91421
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
The firewall dataplane restarts and results in temporary traffic loss when any process stops responding while system resource usage is running high.
PAN-91370
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
The firewall drops IPv6 traffic while enforcing IPv6 bidirectional NAT policy rules because the firewall incorrectly translates the destination address for a host that resides on a directly attached network.
Workaround: Above the bidirectional rule in your NAT policy, add an NPTv6 rule that specifies no translation and matches the IPv6 address configured on the interface that the firewall uses for traffic to the directly attached network.
PAN-91238
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
An Aggregate Ethernet (AE) interface with Link Aggregation Control Protocol (LACP) enabled on the firewall goes down after a cisco-nexus primary virtual port channel (vPC) switch LACP peer reboots and comes back up.
Workaround: Set a hold time on the AE interface by running the debug l2ctrld lacp set hold-time CLI command. The hold time (default is 15 seconds) specifies the delay before the firewall processes LACP protocol data units (PDUs) after LACP-enabled interfaces come up.
PAN-91236
The Panorama management server does not display new logs collected on M-Series Log Collectors because the logging search engine does not register during system startup when logging disk checks and RAID mounting take longer than two hours to complete.
PAN-91088
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
On PA-7000 Series firewalls in an HA configuration, the HA3 link does not come up after you upgrade to PAN-OS 8.0.6 or a later release.
Workaround: Unplug and replug the HSCI modules.
PAN-91059
This issue is now resolved. SeePAN-OS 8.1.6 Addressed Issues.
GTP log query filters do not work when you filter based on a value of unknown for the message type or GTP interface fields (MonitorLogsGTP).
PAN-90947
The PA-5250 firewall stops responding when you configure 2,900 or more DHCP relay agent interfaces.
PAN-90565
The firewall does not accept wildcards (*) as standalone characters to match all IMSI identifiers when you configure IMSI Filtering in a GTP Protection profile (ObjectsSecurity ProfilesGTP ProtectionFiltering OptionsIMSI Filtering).
PAN-90404
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
The Panorama management server intermittently displays the connections among Log Collectors as disconnected after pushing configurations to a Collector Group (PanoramaManaged Collectors).
PAN-90347
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
On a PA-5000 Series firewall configured to use an IPSec tunnel containing multiple proxy IDs (NetworkIPSec Tunnels<tunnel>Proxy IDs), the firewall drops tunneled traffic after clear text sessions are established on a dataplane other than the first dataplane (DP0).
Workaround: Use Palo Alto Networks firewalls on both ends of the IPSec tunnel, or use one proxy ID per tunnel, or use only DP0 for establishing clear text sessions (run the set session processing-cpu dp0 CLI command).
PAN-90301
The firewall generates false positives during GTP-in-GTP checks because it detects some DNS-in-GTP packets as GTP-in-GTP packets (ObjectsSecurity ProfilesGTP Protection<GTP_Protection_profile>GTP InspectionGTP-U).
PAN-90096
This issue is now resolved. SeePAN-OS 8.1.6 Addressed Issues.
Threat logs record incorrect IMSI values for GTP packets after you enable Packet Capture in Vulnerability Protection profiles (ObjectsSecurity ProfilesVulnerability Protection<Vulnerability_Protection_profile>Rules).
PAN-89794
This issue is now resolved. SeePAN-OS 8.1.2 Addressed Issues.
(PA-3050, PA-3060, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls only in an HA configuration) Multicast sessions intermittently stop forwarding traffic after HA failover on firewalls with hardware offloading enabled (default).
Workaround: Disable hardware offloading by running the set session offload no CLI command and clear any multicast sessions that are already offloaded after failover by running the clear session CLI command.
PAN-89402
This issue is now resolved. SeePAN-OS 8.1.4 Addressed Issues.
On PA-3200 Series firewalls, Ethernet ports 2, 3, 4, 6, 7, 8, and 10 function only at 1,000Mbps (1Gbps); you should not configure these ports to run at any other speed. (Ethernet ports 1, 5, 9, 11, and 12 function at 10Mbps, 100Mbps, or 1,000Mbps.)
PAN-88987
When you configure a PA-5220 firewall with Dynamic IP and Port (DIPP) NAT, the number of translated IP addresses cannot exceed 3,000; otherwise, the commit fails.
PAN-88852
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
VM-Series firewalls stop displaying URL Filtering logs after you configure a URL Filtering profile with an alert action (ObjectsSecurity ProfilesURL Filtering).
PAN-88649
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
After receiving machine account names in UPN format from a Windows-based User-ID agent, the firewall misidentifies them as user accounts and overrides usernames with machine names in IP address-to-username mappings.
PAN-88487
The firewall stops enforcing policy after you manually refresh an External Dynamic List (EDL) that has an invalid IP address or that resides on an unreachable web server.
Workaround: Do not refresh EDLs that have invalid IP addresses or that reside on unreachable web servers.
PAN-88048
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
A VM-Series firewall on KVM in MMAP mode doesn't receive traffic after you configure it to use the i40e single-root input/output virtualization (SR-IOV) virtual function (VF).
PAN-87990
The WF-500 appliance becomes inaccessible over SSH and becomes stuck in a boot loop after you upgrade from a release lower than PAN-OS 8.0.1 and try to upgrade to PAN-OS 8.0.5 or a later release.
PAN-87309
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
When you configure a GlobalProtect gateway to exclude all video streaming traffic from the VPN tunnel, Hulu and Sling TV traffic cannot be redirected if you do not configure any security profiles (such as a File Blocking profile) for your firewall Security policy.
PAN-86936
Logs are temporarily unavailable on Panorama Log Collectors because the vldmgr process restarts.
PAN-86903
In rare cases, PA-800 Series firewalls shut themselves down due to a false over-current measurement.
PAN-86028
This issue is now resolved. SeePAN-OS 8.1.1 Addressed Issues.
(HA active/active configurations only) Traffic in a GlobalProtect VPN tunnel in SSL mode fails after Layer 7 processing is completed if asymmetric routing is involved.
PAN-85691
Authentication policy rules based on multi-factor authentication (MFA) don't block connections to an MFA vendor when the MFA server profile specifies a Certificate Profile that has the wrong certificate authority (CA) certificate.
PAN-84670
This issue is now resolved. SeePAN-OS 8.1.7 Addressed Issues.
When you disable decryption for HTTPS traffic, end users who don't have valid authentication timestamps can access HTTPS services and applications regardless of Authentication policy.
Workaround: Create a Security policy rule that blocks HTTPS traffic that is not decrypted.
PAN-84488
On PA-7000 Series and PA-5200 Series firewalls, client systems can use a translated IP address-and-port pair for only one connection even if you configure the Dynamic IP and Port (DIPP) NAT Oversubscription Rate to allow multiple connections (DeviceSetupSessionSession SettingsNAT Oversubscription).
PAN-84199
This issue is now resolved. SeePAN-OS 8.1.4 Addressed Issues.
After you disable the Skip Auth on IKE Rekey option in the GlobalProtect gateway, the firewall still applies the option: end users with endpoints that use Extended Authentication (X-Auth) don't have to re-authenticate when the key used to establish the IPSec tunnel expires (NetworkGlobalProtectGateways<gateway>AgentTunnel Settings).
PAN-84045
VM-Series firewalls in an HA configuration with Data Plane Development Kit (DPDK) enabled experience HA path monitoring failures and (in active/passive deployments) HA failover.
PAN-83610
In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persistently disable session offload for only UDP traffic using the set session udp-offload no CLI command.
PAN-83598
VM-Series firewalls cannot monitor more than 500 virtual machine (VM) information sources (DeviceVM Information Sources).
PAN-83236
The VM-Series firewall on Google Compute Platform does not publish firewall metrics to Google Stack Monitoring when you manually configure a DNS server IP address (DeviceSetupServices).
Workaround: The VM-Series firewall on Google Cloud Platform must use the DNS server that Google provides.
PAN-83215
SSL decryption based on ECDSA certificates does not work when you import the ECDSA private keys onto a Thales nShield hardware security module (HSM).
PAN-83047
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
The firewall displays the following commit warning when you configure a GlobalProtect gateway with a Tunnel Interface set to the default tunnel interface (NetworkGlobalProtectGateways<gateway>General) even after you enable IPv6: Warning: tunnel tunnel ipv6 is not enabled.IPv6address will be ignored!
PAN-82987
This issue is now resolved. SeePAN-OS 8.1.4 Addressed Issues.
The web interface intermittently becomes unresponsive during ACC queries.
PAN-82278
Filtering does not work for Threat logs when you filter for threat names that contain certain characters: single quotation (), double quotation (), back slash (\), forward slash (/), backspace (\b), form feed (\f), new line (\n), carriage return (\r), and tab (\t).
PAN-81521
Endpoints failed to authenticate to GlobalProtect through Kerberos when you specify an FQDN instead of an IP address in the Kerberos server profile (DeviceServer ProfilesKerberos).
Workaround: Replace the FQDN with the IP address in the Kerberos server profile.
PAN-79423
Panorama cannot push address group objects from device groups to managed firewalls when zones specify the objects in the User Identification ACL include or exclude lists (NetworkZones) and the Share Unused Address and Service Objects with Devices option is disabled (PanoramaSetupManagementPanorama Settings).
PAN-79291
This issue is now resolved. SeePAN-OS 8.1.3 Addressed Issues.
An intermittent issue occurs with ZIP hardware offloading (hardware-based decompression) where firewalls identify ZIP files as threats when they are sent over Simple Mail Transfer Protocol (SMTP).
PAN-77125
PA-7000 Series, PA-5200 Series, and PA-3200 Series firewalls configured in tap mode don’t close offloaded sessions after processing the associated traffic; the sessions remain open until they time out.
Workaround: Configure the firewalls in virtual wire mode instead of tap mode, or disable session offloading by running the set session offload no CLI command.
PAN-75457
(PAN-OS 8.0.1 and later releases) In WildFire appliance clusters that have three or more nodes, the Panorama management server does not support changing node roles. In a three-node cluster for example, you cannot use Panorama to configure the worker node as a controller node by adding the HA and cluster controller configurations, configure an existing controller node as a worker node by removing the HA configuration, and then commit and push the configuration. Attempts to change cluster node roles from Panorama results in a validation error—the commit fails and the cluster becomes unresponsive.
PAN-73530
The firewall does not generate a packet capture (pcap) when a Data Filtering profile blocks files.
PAN-73401
(PAN-OS 8.0.1 and later releases) When you import a two-node WildFire appliance cluster into the Panorama management server, the controller nodes report their state as out-of-sync if either of the following conditions exist:
  • You did not configure a worker list to add at least one worker node to the cluster. (In a two-node cluster, both nodes are controller nodes configured as an HA pair. Adding a worker node would make the cluster a three-node cluster.)
  • You did not configure a service advertisement (either by enabling or not enabling advertising DNS service on the controller nodes).
Workaround: There are three possible workarounds to sync the controller nodes:
  • After you import the two-node cluster into Panorama, push the configuration from Panorama to the cluster. After the push succeeds, Panorama reports that the controller nodes are in sync.
  • Configure a worker list on the cluster controller:
    admin@wf500(active-controller)# set deviceconfig
    cluster mode controller worker-list  <worker-ip-address>
    (<worker-ip-address> is the IP address of the worker node you are adding to the cluster.) This creates a three-node cluster. After you import the cluster into Panorama, Panorama reports that the controller nodes are in sync. When you want the cluster to have only two nodes, use a different workaround.
  • Configure service advertisement on the local CLI of the cluster controller and then import the configuration into Panorama. The service advertisement can advertise that DNS is or is not enabled.
    admin@wf500(active-controller)# set deviceconfig
    cluster mode controller service-advertisement dns-service enabled
    yes
    or
    admin@wf500(active-controller)# set deviceconfig
    cluster mode controller service-advertisement
    
    dns-service enabled no
    Both commands result in Panorama reporting that the controller nodes are in sync.
PAN-72861
When you configure a PA-7000 Series or PA-5200 Series firewall to perform tunnel-in-tunnel inspection, which includes GRE keep-alive packets (PoliciesTunnel Inspection<tunnel_inspection_rule>InspectionInspect Options), and you run the clear session all CLI command while traffic is traversing a tunnel, the firewall temporarily drops tunneled packets.
PAN-71765
Deactivating a VM-Series firewall from Panorama completes successfully but the web interface does not update to indicate that deactivation finished.
Workaround: View deactivation status from PanoramaManaged Devices.
PAN-71329
Local users and user groups in the Shared location (all virtual systems) are not available to be part of the user-to-application mapping for GlobalProtect Clientless VPN applications (NetworkGlobalProtectPortals<portal>Clientless VPNApplications).
Workaround: Create users and user groups in specific virtual systems on firewalls that have multiple virtual systems. For single virtual systems (like VM-Series firewalls), users and user groups are created under Shared and are not configurable for Clientless VPN applications.
PAN-70906
If the PAN-OS web interface and the GlobalProtect portal are enabled on the same IP address, then when a user logs out of the GlobalProtect portal, the administrative user is also logged out from the PAN-OS web interface.
Workaround: Use the IP address to access the PAN-OS web interface and an FQDN to access the GlobalProtect portal.
PAN-70023
Authentication using auto-filled credentials intermittently fails when you access an application using GlobalProtect Clientless VPN.
Workaround: Manually enter the credentials.
PAN-69505
When viewing an external dynamic list that requires client authentication and you Test Source URL, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (ObjectsExternal Dynamic Lists).
PAN-62453
Entering vSphere maintenance mode on a VM-Series firewall without first shutting down the Guest OS for the agent VMs causes the firewall to shut down abruptly, and results in issues after the firewall is powered on again. Refer to Issue 1332563 in the VMware Release Notes.
Workaround: VM-Series firewalls are Service Virtual Machines (SVMs) pinned to ESXi hosts and you should not migrate those firewalls. Before you enter vSphere maintenance mode, use the VMware tools to ensure a graceful shutdown of the VM-Series firewall.
PAN-58872
The automatic license deactivation workflow for firewalls with direct internet access does not work.
Workaround: Use the request license deactivate key features <name> mode manual CLI command to Deactivate a Feature License_or_Subscription_Using_the_CLI. To Deactivate a VM-Series firewall, choose Complete Manually (instead of Continue) and follow the steps to manually deactivate the VM.
PAN-55825
Performing an AutoFocus remote search that is targeted to a firewall or Panorama management server does not work correctly when the search condition contains a single or double quotation mark.
PAN-55437
HA for VM-Series firewalls does not work in AWS regions that do not support the signature version 2 signing process for EC2 API calls. Unsupported regions include AWS EU (Frankfurt) and Korea (Seoul).
PAN-55203
When you change the reporting period for a scheduled report, such as the SaaS Application Usage PDF report, the report can have incomplete or no data for the reporting period.
Workaround: If you need to change the reporting period for any scheduled report, create a new report for the desired time period instead of modifying the time period on an existing report.
PAN-54254
In Traffic logs, the following session end reasons for Captive Portal or a GlobalProtect SSL VPN tunnel indicated the incorrect reason for session termination: decrypt-cert-validation, decrypt-unsupport-param, or decrypt-error.
PAN-53825
On the VM-Series for NSX firewall, when you add or modify an NSX service profile zone on Panorama, you must perform a Panorama commit and then push device group configurations with the Include Device and Network Templates option selected (CommitCommit and Push). To successfully redirect traffic to the VM-Series for NSX firewall, you must push both device group and template configurations when you modify the zone configuration to ensure that the zones are available on the firewall.
PAN-53663
When you open the SaaS Application Usage report (MonitorPDF ReportsSaaS Application Usage) on multiple tabs in a browser, each for a different virtual system (vsys), and you then attempt to export PDFs from each tab, only the first request is accurate; all successive attempts result in PDFs that are duplicates of the first report.
Workaround: Export only one PDF at a time and wait for that export process to finish before initiating the next export request.
PAN-51969
On the NSX Manager, when you unbind an NSX Security Group from an NSX Security Policy rule, the dynamic tag and registered IP address are updated on the Panorama management server but are not sent to the VM-Series firewalls.
Workaround: To push the Dynamic Address Group updates to the VM-Series firewalls, you must manually synchronize the configuration with the NSX Manager (select PanoramaVMware Service Manager and select NSX Config-Sync).
PAN-51952
If a security group overlap occurs in an NSX Security policy where the same security group is weighted with a higher and a lower priority value, the traffic may be redirected to the wrong service profile (VM-Series firewall instance). This issue occurs because an NSX Security policy with a higher weight does not always take precedence over a policy with a lower weight.
Workaround: Make sure that members that are assigned to a security group are not overlapping with another Security group and that each security group is assigned to a unique NSX Security policy rule. This allows you to ensure that NSX Security policy does not redirect traffic to the wrong service profile (VM-Series firewall).
PAN-51870
When using the CLI to configure the management interface as a DHCP client, the commit fails if you do not provide all four DHCP parameters in the command. For a successful commit when using the set deviceconfig system type dhcp-client configuration mode CLI command, you must include each of the following parameters: accept-dhcp-domain, accept-dhcp-hostname, send-client-id, and send-hostname.
PAN-51869
Canceling pending commits does not immediately remove them from the commit queue. The commits remain in the queue until PAN-OS dequeues them.
PAN-51673
BFD sessions are not established between two RIP peers when there are no RIP advertisements.
Workaround: Enable RIP on another interface to provide RIP advertisements from a remote peer.
PAN-51216
The NSX Manager fails to redirect traffic to the VM-Series firewall when you define new Service Profile zones for NSX on the Panorama management server. This issue occurs intermittently on the NSX Manager when you define security rules to redirect traffic to the new service profiles that are available for traffic introspection and results in the following error:
Firewallconfigurationisnotin sync with NSX Manager. Conflict with ServiceProfile Oddhostonservice(Palo Alto Networks NGFW) when bindingto host<name>.
PAN-51122
For the VM-Series firewall, after you manually reset a heartbeat failure alarm on the vCenter server to indicate that the VM-Series firewall is healthy (change color to green), the vCenter server does not trigger a heartbeat failure alarm again.
PAN-48456
IPv6-to-IPv6 Network Prefix Translation (NPTv6) is not supported when configured on a shared gateway.
PAN-46344
When you use a Mac OS Safari browser, client certificates will not work for Captive Portal authentication.
Workaround: On a Mac OS system, instruct end users to use a different browser (for example, Mozilla Firefox or Google Chrome).
PAN-45793
On a firewall with multiple virtual systems, when you add an authentication profile to a virtual system and give the profile the same name as an authentication sequence in Shared, reference errors occur. The same errors occur if the profile is in Shared and the sequence with the same name is in a virtual system.
Workaround: When creating authentication profiles and sequences, always enter unique names, regardless of their location. For existing authentication profiles and sequences with similar names, rename the ones that are currently assigned to configurations (such as a GlobalProtect gateway) to ensure uniqueness.
PAN-43000
Vulnerability detection of SSLv3 fails when SSL decryption is enabled. This occurs when you attach a Vulnerability Protection profile (that detects SSLv3—CVE-2014-3566) to a Security policy rule and that Security policy rule and a Decryption policy rule are configured on the same virtual system in the same zone. After performing SSL decryption, the firewall sees decrypted data and no longer sees the SSL version number. In this case, the SSLv3 vulnerability is not identified.
Workaround: PAN-OS 7.0 introduced enhancements to SSL Decryption that enable you to prohibit the inherently weaker SSL/TLS versions, which are more vulnerable to attacks. For example, you can use a Decryption Profile to enforce a minimum protocol version of TLS 1.2 or select Block sessions with unsupported versions to disallow unsupported protocol versions (ObjectsDecryption ProfileSSL Decryption{SSL Forward Proxy | SSL Inbound Inspection}.
PAN-41558
When you use a firewall loopback interface as a GlobalProtect gateway interface, traffic is not routed correctly for third-party IPSec clients, such as StrongSwan.
Workaround: Use a physical firewall interface instead of a loopback firewall interface as the GlobalProtect gateway interface for third-party IPSec clients. Alternatively, configure the loopback interface that is used as the GlobalProtect gateway to be in the same zone as the physical ingress interface for third-party IPSec traffic.
PAN-40130
In the WildFire Submissions logs, the email recipient address is not correctly mapped to a username after you push LDAP group mappings to the firewall from a Panorama template.
PAN-40079
The VM-Series firewall on KVM, for all supported Linux distributions, does not support the Broadcom network adapters for PCI pass-through functionality.
PAN-40075
The VM-Series firewall on KVM running on Ubuntu 12.04 LTS does not support PCI pass-through functionality.
PAN-39728
The URL logging rate is reduced after you enable HTTP header logging in the URL Filtering profile (ObjectsSecurity ProfilesURL Filtering<URL_Filtering_profile>Settings).
PAN-39636
Regardless of the Time Frame you specify for a scheduled custom report on a Panorama M-Series appliance, the earliest possible start date for the report data is effectively the date when you configured the report (MonitorManage Custom Reports). For example, if you configure the report on the 15th of the month and set the Time Frame to Last 30 Days, the report that Panorama generates on the 16th will include only data from the 15th onward. This issue applies only to scheduled reports; on-demand reports include all data within the specified Time Frame.
Workaround: To generate an on-demand report, click Run Now when you configure the custom report.
PAN-39501
The firewall does not clear unused NAT IP address pools after a single commit, so a commit fails when the combined cache of unused pools, existing used pools, and new pools exceeds the memory limit.
Workaround: Commit a second time, which clears the old pool allocation.
PAN-38255
When you perform a factory reset on a Panorama virtual appliance and configure the serial number, logging does not work until you reboot Panorama or execute the debug software restart process management-server CLI command.
PAN-37511
Due to a limitation related to the Ethernet chip driving the SFP+ ports, PA-5050 and PA-5060 firewalls will not perform link fault signaling as standardized when a fiber in the fiber pair is cut or disconnected.
PAN-37177
After deploying the VM-Series firewall and it connects to the Panorama management server, you must commit to Panorama (CommitCommit to Panorama) to ensure that Panorama recognizes the firewall as a managed device. If you reboot Panorama without committing the changes, the firewall does not reconnect with Panorama; although the device group displays the list of firewalls, the firewall does not display in PanoramaManaged Devices.
Furthermore, when Panorama has an HA configuration, the VM-Series firewall is not added to the passive Panorama peer until the active Panorama peer synchronizes the configuration. During this time, the passive Panorama peer logs a critical message: vm-cfg: failedto processregistrationfromsvm device. vm-state: active. The passive peer logs this message until you commit the changes on the active Panorama, which then initiates synchronization between the Panorama HA peers and the VM-Series firewall is added to the passive Panorama peer.
Workaround: To reconnect to the managed firewalls, commit your changes to Panorama. In an HA deployment, the commit initiates the synchronization of the running configuration between the Panorama HA peers.
PAN-36730
When deleting the VM-Series deployment, all VMs are deleted successfully; however, sometimes a few instances still remain in the datastore.
Workaround: Manually delete the VM-Series firewalls from the datastore.
PAN-36728
(VM-Series for NSX firewalls only) In some scenarios, traffic from newly added guests or virtual machines is not steered to the VM-Series firewall even when the guests belong to a Security Group and are attached to a Security Policy that redirects traffic to the VM-Series firewall.
Workaround: Reapply the Security Policy on the NSX Manager.
PAN-36727
The VM-Series firewall fails to deploy and displays the following error message: Invalid OVFFormatinAgent Configuration.
Workaround: Use the following command to restart the ESX Agent Manager process on the vCenter Server: /etc/init.d/vmware-vpxd tomcat-restart.
PAN-36433
When HA failover occurs on Panorama at the time that the NSX Manager is deploying the VM-Series NSX edition firewall, the licensing process fails with the following error: vm-cfg:failedtoprocessregistration from svm device. vm-state: active.
Workaround: Delete the unlicensed instance of the VM-Series firewall on each ESXi host and then redeploy the Palo Alto Networks next-generation firewall service from the NSX Manager.
PAN-36394
(VM-Series for NSX firewalls only) When the datastore is migrated for a guest, all current sessions are no longer steered to the VM-Series firewall. However, all new sessions are secured properly.
PAN-36393
When deploying the VM-Series firewall, the Task Console displays Error while enabling agent. Cannotcompletetheoperation.See the event log for details. This error displays even on a successful deployment. You can ignore the message if the VM-Series firewall is successfully deployed.
PAN-36088
When an ESXi host is rebooted or shut down, the functional status of the guests is not updated. Because the IP address is not updated, the dynamic tags do not accurately reflect the functional state of the guests that are unavailable.
PAN-36049
The VMware vCenter Server/vmtools displays the IP address for a guest incorrectly after VLAN tags are added to an Ethernet port. The display does not accurately show the IP addresses associated with the tagged Ethernet port and the untagged Ethernet port. This issue occurs on some Linux OS versions such as Ubuntu.
PAN-35903
When you edit a traffic introspection rule (to steer traffic to the VM-Series firewall) on the NSX Manager, an invalid (tcp) port number error or invalid (udp)portnumbererror displays when you remove the destination (TCP or UDP) port.
Workaround: Delete the rule and add a new one.
PAN-35875
When defining traffic introspection rules (to steer traffic to the VM-Series firewall) on the NSX Manager, either the source or the destination for the rule must reference the name of a Security Group; you cannot create a rule from any to any Security Group.
Workaround: To redirect all traffic to the VM-Series firewall, you must create a Security Group that includes all the guests in the cluster. Then you can define a security policy that redirects traffic from and to the cluster so that the firewall can inspect and enforce policy on the east-west traffic.
PAN-35874
Duplicate packets are steered to the VM-Series firewall after you enable distributed vSwitch for steering in promiscuous mode.
Workaround: Disable promiscuous mode.
PAN-34966
On a VM-Series NSX edition firewall, when adding or removing a Security Group (Container) that is bound to a Security Policy, the Panorama management server does not get a dynamic update of the added or removed Security Group.
Workaround: Select PanoramaVMware Service Manager, and Synchronize Dynamic Objects to initiate a manual synchronization to get the latest update.
PAN-34855
On a VM-Series NSX edition firewall, Dynamic Tags (update) do not reflect the actual IP address set on the guest. This issue occurs because the vCenter Server cannot accurately view the IP address of the guest.
PAN-31832
The following issues apply when configuring a firewall to use a hardware security module (HSM):
  • Thales nShield Connect—The firewall requires at least four minutes to detect that an HSM was disconnected, causing SSL functionality to be unavailable during the delay.
  • SafeNet Network—When losing connectivity to either or both HSMs in an HA configuration, the display of information from the show high-availability state and show hsm info commands are blocked for 20 seconds.
PAN-25046
Firewalls store SSH host keys used for SCP log exports in the known hosts file. In an HA deployment, PAN-OS synchronizes the SCP log export configuration between the firewall HA peers (DeviceScheduled Log Export), but not the known host file. When a failover occurs, the SCP log export fails.
Workaround: Log in to each peer in HA, select DeviceScheduled Log Export<log_export_configuration>, and Test SCP server connection to confirm the host key so that SCP log forwarding continues to work after a failover.
PAN-23732
After you use a Panorama template to push a log export schedule that specifies an SCP server as the destination (DeviceScheduled Log Export), you must log in to each firewall that receives the schedule and Test SCP server connection. The connection is not established until the firewall accepts the host key for the SCP server.

Related Documentation