Known Issues Related to PAN-OS 8.1 Releases
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 9.1
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1
End-of-Life (EoL)
Known Issues Related to PAN-OS 8.1 Releases
List of known issues in the PAN-OS® 8.1 release.
The following list includes known issues specific to
PAN-OS
®
8.1 releases, which includes known issues specific
to Panorama™ and GlobalProtect™, as well as known issues that apply
more generally or that are not identified by an issue ID. See also the Known Issues Specific to the WF-500 Appliance.Issue ID | Description |
|---|---|
— | Upgrading a PA-200 or PA-500 firewall to
PAN-OS 8.1 can take 30 to 60 minutes to complete. Ensure uninterrupted
power to your firewall throughout the upgrade process. |
— | PAN-OS 8.1.1 introduces a new software integrity check; a failed check
results in a critical system log, while a passed check generates an
informational system log. To check for a software integrity
check failure, select Monitor > Logs and
enter the filter: (severity eq critical) and (eventid eq fips-selftest-integ) .Please
contact Palo Alto Networks Support if a device fails a software integrity
check. |
GPC-2742 | If you configure GlobalProtect portals and
gateways to use client certificates and LDAP as two factors of authentication,
Chromebook endpoints that run Chrome OS 47 or later versions encounter excessive
prompts to select a client certificate. Workaround: To
prevent excessive prompts, configure a policy to specify the client
certificate in the Google Admin console and deploy that policy to
your managed Chromebooks:
|
PLUG-380 | When you rename a device group, template,
or template stack in Panorama that is part of a VMware NSX service
definition, the new name is not reflected in NSX Manager. Therefore,
any ESXi hosts that you add to a vSphere cluster are not added to
the correct device group, template, or template stack and your Security
policy is not pushed to VM-Series firewalls that you deploy after
you rename those objects. There is no impact to existing VM-Series
firewalls. |
PAN-204689 | Upon upgrade to PAN-OS 8.1.25, the following GlobalProtect settings
do not work:
|
PAN-194455 | After successful upgrade to PAN-OS 8.1.23, ACC
widgets display as In Progress and no
data is loaded. |
PAN-177363 | Dedicated Log Collector system and config
logs cannot be ingested and are dropped when they are forwarded
to a Panorama management server in Management Only mode, resulting
in Dedicated Log Collector system and config logs not being viewable
on Panorama in Management Only mode. |
PAN-174004 | On the Panorama management server, local
or Dedicated Log Collector mode cannot successfully join an ElasticSearch
cluster when added to a Collector Group ( Panorama Collector Groups |
PAN-173509 | Superuser administrators with read-only
privileges ( Device Administrators Panorama Administrators
|
PAN-168113 | On the Panorama management server, you are
unable to configure a master key ( Device Master Key and Diagnostics Network Interfaces Ethernet Workaround: Remove the
referenced zone from the interface configuration to successfully
configure a master key. |
PAN-164885 | On the Panorama management server, pushes
to managed firewalls ( Commit Push to Devices Commit
and Push ) may fail when an EDL (Objects External Dynamic Lists Check for updates every 5 minutes
due to the commit and EDL fetch processes overlapping. This is more
likely to occur when multiple EDLs are configured to check for updates
every 5 minutes. |
PAN-162088 | On the Panorama management server in a high
availability (HA) configuration, content updates ( Panorama Dynamic Updates Install a content update
and enable Sync to HA Peer . |
PAN-161955 | Firewalls erroneously generate a high severity
system log (Monitor Logs System |
PAN-160410 | In the ACC , data
cannot be imported or exported when a User filter (ACC Network Activity Set Tab Filters User DOMAIN/USER ,
is applies to the Network Activity widget. |
PAN-157240 | When a firewall has hardware offloading
turned on and OSPF enabled, if ECMP is enabled or disabled for a
virtual router during a configuration commit, OSPF sessions may
get stuck in Exchange Start state. Workaround: Disable
OSPF when enabling or disabling ECMP, and then re-enable OSPF in
the next commit. |
PAN-154181 | On the Panorama management server, you cannot
context switch to the web interface of a managed firewall running
PAN-OS 8.1.16. Workaround: Downgrade the managed firewall
to PAN-OS 8.1.15 or earlier release. |
PAN-151909 | On the Panorama management server, Preview
Changes (Commit Commit to Panorama Network Virtual
Router |
PAN-150172 | Fixed an issue where dataplane processes
restarted when attempting to access websites that had the NotBefore attribute
less than or equal to Unix Epoch Time in the server certificate
with forward proxy enabled. |
PAN-144479 This issue is
now resolved. See PAN-OS 8.1.15 Addressed Issues | SNMP objects from the HOST-RESOURCES-MIB
return incorrect values when queried. |
PAN-140008 | ElasticSearch is forced to restart when
the masterd process misses too many
heartbeat messages on the Panorama management server resulting in
a delay in a log query and ingestion. |
PAN-138476 | There is an issue with Online Certificate
Status Protocol (OCSP) processing failure in queries for a process
(reportd) to Cortex Data Lake due to G1 issuer certification. |
PAN-138427 | Pushing a configuration from a Panorama
management server running PAN-OS 9.0 to a firewall running PAN-OS
8.1 produces a HTTP/2 warning. |
PAN-135260 This issue is
now resolved. See PAN-OS 8.1.13 Addressed Issues | ( PA-7000 Series firewalls running PAN-OS
8.1.12 only ) There is an intermittent issue where the dataplane
process (all_pktproc_X) on a Network Processing Card
(NPC) restarts unexpectedly when processing IPSec tunnel traffic.
This issue can occur on any NPC card in any slot. |
PAN-132598 | The Panorama management server does not
check for duplicate addresses in address groups ( Objects Address Groups Objects Service Groups |
PAN-131915 | There is an issue when you implement a new
firewall bootstrap with a USB drive where the bootstrap fails and
displays the following error message: no USB device found .Workaround: Perform
a factory reset or run the request system private-data-reset CLI
command and then proceed with bootstrapping. |
PAN-131792 This issue is
now resolved. See PAN-OS 8.1.15 Addressed Issues | The Name log filter ( Monitor Logs Traffic Policies Security |
PAN-130630 | ( VM-Series firewalls in Azure Load Balancer
pool only ) Latency occurs due to incorrect packet processing
flags. |
PAN-130550 | ( PA-3200 Series, PA-5220, PA-5250, PA-5260,
and PA-7000 Series firewalls ) For traffic between virtual systems
(inter-vsys traffic), the firewall cannot perform source NAT using
dynamic IP (DIP) address translation.Workaround: Use
source NAT with Dynamic IP and Port (DIPP) translation on inter-vsys
traffic. |
PAN-130069 This issue is
now resolved. See PAN-OS 8.1.13 Addressed Issues | There is an issue where the firewall incorrectly
interprets an external dynamic list MineMeld instability error code
as an empty external dynamic list. |
PAN-129692 | ( VM-Series firewalls in Microsoft Azure
environment only ) The firewall experiences traffic latency
due to an incompatible driver. |
PAN-128269 This issue is
now resolved. See PAN-OS 8.1.12 Addressed Issues | ( PA-5250, PA-5260, and PA-5280 firewalls
with 100GB AOC cables only ) When you upgrade the first peer
in a high availability (HA) configuration to PAN-OS 8.1.9-h4 or
a later PAN-OS 8.1 release, the High Speed Chassis Interconnect
(HSCI) port does not come up (due to an FEC mismatch) until after
you finish upgrading the second peer. |
PAN-127189 This issue is
now resolved. See PAN-OS 8.1.14 Addressed Issues | ( VM-Series firewalls only ) The
non-blocking pattern match setting is enabled by default, which
results in CTD performance degradation.Workaround: Manually
disable the feature and improve performance by using the following
CLI command: set system setting ctd nonblocking-pattern-match disable . |
PAN-126921 This issue is
now resolved. See PAN-OS 8.1.12 Addressed Issues | ( PA-7000 Series firewalls only )
There is an issue where internal path monitoring fails when the
firewall processes corrupt packets. |
PAN-124956 | There is an issue where VM-Series firewalls
do not support packet buffer protection. |
PAN-123322 This issue is
now resolved. See PAN-OS 8.1.12 Addressed Issues | ( PA-3200 Series, PA-5200 Series, and
PA-7000 Series firewalls running PAN-OS 8.1.11 only ) There
is an intermittent issue where a process (all_pktproc)
stops responding due to a Work Query Entry (WQE) corruption that
is caused by duplicate child sessions. |
PAN-122804 This issue is
now resolved. See PAN-OS 8.1.12 Addressed Issues | There is an issue on Panorama M-Series and
virtual appliances where the firewall stops forwarding logs to Cortex
Data Lake after you upgrade the cloud services plugin to version
1.4. |
PAN-120662 This issue is
now resolved. See PAN-OS 8.1.11 Addressed Issues | ( PA-7000 Series firewalls using PA-7000-20G-NPC
cards only ) There is an intermittent issue where an out-of-memory
(OOM) condition causes the dataplane or internal path monitoring
to stop responding. |
PAN-120440 | There is an issue on M-500 Panorama management
servers where any Ethernet interface with an IPv6 address having
Private PAN-DB-URL connectivity supports only the following format: 2001:DB9:85A3:0:0:8A2E:370:2 . |
PAN-120303 | There is an issue where the firewall remains
connected to the PAN-DB-URL server through the old management IP
address on the M-500 Panorama management server even after you configured
the Eth1/1 interface. Workaround: Update the PAN-DB-URL
IP address on the firewall using one of two methods.
|
PAN-119862 This issue is
now resolved. See PAN-OS 8.1.11 Addressed Issues | ( PA-5050 firewalls only ) There
is an intermittent issue where an out-of-memory (OOM) condition
causes the dataplane or internal path monitoring to stop responding. |
PAN-118065 | ( M-Series Panorama management servers
in Management Only mode ) When you delete the local Log Collector
(Panorama Managed Collectors Up after
you commit when you execute the show interface all command
in the CLI.Workaround: Disable the 1/1 Ethernet interface
before you delete the local log collector and then commit the configuration
change. |
PAN-118008 | ( Affects PA-3000 Series firewalls only )
There is an infrequently encountered issue where a low memory condition
intermittently prevents decoders from loading, leading to traffic
inspection issues related to the impacted decoder(s). |
PAN-117729 This issue is
now resolved. See PAN-OS 8.1.9 Addressed Issues | There is an issue where the firewall incorrectly
displays application dependency warnings ( Policies Security |
PAN-116436 | ( Panorama™ virtual appliances only )
There is a disk space calculation error that eventually leads to
an erroneous opt/panlogs/ partition full condition
and causes a process (CDB) to stop responding. |
PAN-116084 | ( PAN-OS 8.1.7 only ) A VM-Series
firewall on Microsoft Azure deployed using MMAP drops traffic when
the firewall experiences heavy traffic. |
PAN-116069 | ( PA-200 firewalls only ) There is
a rare out-of-memory (OOM) condition. |
PAN-111456 | The SCTP service object does not function
as expected in policy rules. |
PAN-114041 | ( Panorama M-Series and virtual appliances
only ) There is a rare issue where, as a result of known issue PAN-107636, new
Elasticsearch (ES) indices are empty, which prevents the web interface
from displaying logs for the days associated with those indices.
The root cause of this issue is addressed in PAN-OS 8.1.7; however,
if you cannot see logs for a given day, contact your Support team
to get help recovering them. |
PAN-113614 | There is an issue with a memory leak associated
with commits on Panorama appliances that eventually causes an unexpected
restart of the configuration (configd) process. |
PAN-113501 | The Panorama management server returns a
Secure Copy (SCP) server connection error after you create an SCP
Scheduled Config Export profile ( Panorama Scheduled Config Export |
PAN-113340 | ( PA-200 firewalls only ) There is
an issue where the management plane memory is lower than expected,
which causes the management plane to restart. |
PAN-112814 | ( PAN-OS 8.1.6 and later releases only )
H.323-based calls lose audio when the predicted H.245 session cannot
convert to Active status, which causes the firewall to incorrectly
drop H.245 traffic. |
PAN-112428 | If you use Panorama running PAN-OS 8.1.6
to manage a WildFire appliance that is running PAN-OS 8.1.5 or an
earlier PAN-OS 8.1. release, autocommits will intermittently fail
and Panorama will stop displaying device groups. Workaround: If
you use Panorama to manage any WildFire appliances running a PAN-OS
8.1.5 or earlier release, upgrade those WildFire appliances to PAN-OS
8.1.6 (or a later release) before you upgrade Panorama to PAN-OS
8.1.6 (or a later release). If you already upgraded Panorama to
PAN-OS 8.1.6, then upgrade all PAN-OS 8.1 WildFire appliances to
PAN-OS 8.1.6, as well, and then reboot Panorama. |
PAN-111928 | Invalid configuration errors are not displayed
as expected when you revert a Panorama management server configuration. Workaround: After
you revert the Panorama configuration, Commit (Commit Commit to Panorama |
PAN-111866 | The push scope selection on the Panorama
web interface displays incorrectly even though the commit scope
displays as expected. This issue occurs when one administrator makes
configuration changes to separate device groups or templates that
affect multiple firewalls and a different administrator attempts
to push those changes. Workaround: Perform one of the
following tasks.
|
PAN-111844 | ( VM-50 and VM-50 Lite firewalls only )
There is a rare out-of-memory (OOM) condition. |
PAN-111729 | If you disable DPDK mode and enable it again,
you must immediately reboot the firewall. |
PAN-111708 | ( PA-3200 Series firewalls only )
There is a rare software issue that causes the dataplane to restart
unexpectedly. |
PAN-111670 | Tagged VLAN traffic fails when sent through
an SR-IOV adapter. |
PAN-111553 | On the Panorama management server, the Include
Device and Network Templates setting is disabled by
default when you attempt to push changes to managed devices, which
causes your push to fail.Workaround: Before you commit
and push the configuration changes from Panorama to your managed
devices, edit the push scope (Commit Push to Devices Edit Selections Commit Commit and Push Edit Selections Include
Device and Network Templates . |
PAN-109759 | The firewall does not generate a notification
for the GlobalProtect client when the firewall denies an unencrypted
TLS session due to an authentication policy match. |
PAN-109594 | ( HA configurations only ) The dataplane
restarts when an IPsec rekey event occurs and causes a tunnel process
(tund) failure when one—but not both—HA peers is running
PAN-OS 8.0.14 or PAN-OS 8.1.5.Workaround: Temporarily
modify the IKE phase 2 lifetime for both peers (Network Network Profiles IPsec Crypto |
PAN-109526 | The system log does not display the URL
for CRL files correctly, the URLs are displayed with encoded characters. |
PAN-108805 | ( PA-3250 and PA-3260 firewalls only )
There is a rare issue with deterministic finite automaton (DFA)
signature matching in PAN-OS 8.1.2 and later releases that causes
the firewall to stop responding when using hardware-based DFA scanning
(default).Workaround: In PAN-OS 8.1.5, you can use
the following CLI commands to switch to software-based DFA scanning:
|
PAN-108165 | Memory issues on Palo Alto Networks hardware
and virtual appliances cause intermittent management plane instability. |
PAN-107636 | ( Panorama M-Series and virtual appliances
only ) There is a rare issue where the purge script does not
remove the oldest Elasticsearch (ES) indices to make room for new
ones as expected when the appliance reaches maximum capacity. This
prevents the web interface from displaying any logs for the days
associated with those new ES indices (see known issue PAN-114041) because those
indices are empty (the appliances cannot read or write to them).
If you experience this issue, contact your Support team for assistance. |
PAN-107449 | ( PAN-OS 8.1.4 only ) Firewalls fail
to establish IKE phase 1 or phase 2 when you specify Diffie-Hellman
(DH) group1 .Workaround: Specify
a DH group other than group1 . |
PAN-107271 | ( PA-3200 Series firewalls running PAN-OS
8.1.4 in an HA configuration only ) The physical link for the
HA1-B (backup) port does not function as expected, which means you
cannot use this port as an HA1 backup interface when running PAN-OS
8.1.4. |
PAN-106989 | There is a display-only issue on Panorama
that results in a commit failed status
for Template Last Commit State (Panorama Managed Devices Summary Workaround: Push
templates to managed devices. |
PAN-105737 | ( PAN-OS 8.1.7 and PAN-OS 8.1.8 only )
If you use the AUX 1 or AUX 2 interface and you do not configure
an IP address, network mask, and default gateway for the interface,
the interface will not come up when you upgrade the firewall to
PAN-OS 8.1.7. The most common use of AUX interfaces is to configure
AUX ports as HA1 and HA1 Backup interfaces for fiber connections
on PA-5200 Series firewalls in an HA configuration.Workaround: To
avoid a split-brain scenario in HA configurations as a result of
this issue, configure a default gateway on at least one of the AUX
interfaces. |
PAN-105210 | ( Panorama in FIPS mode only when managing
non-FIPS firewalls ) You cannot configure a GlobalProtect portal
on Panorama in FIPS mode when managing a non-FIPS firewall. If you
attempt to do so, you will receive the following error message: agent-user-override-key unexpected here Portal_fips. |
PAN-104808 | There is an issue where scheduled SaaS reports
generate and email empty PDF reports. Workaround: Manually
generate the report from the Panorama web interface. |
PAN-103290 This issue is
now resolved. See PAN-OS 8.1.15 Addressed Issues | ( PA-3200 Series firewalls only )
The firewall stops recording dataplane diagnostic data in dp-monitor.log
after a few hours of uptime. |
PAN-103276 | Adding a disk to a Panorama 8.1 virtual
appliance on VMware ESXi 6.5 update1 causes the Panorama virtual
appliance and host web client to become unresponsive. Workaround: Upgrade
the ESXi host to ESXi 6.5 update2 and add the disk again. |
PAN-102828 | ( Panorama plugins ) When you use
the AND/OR boolean operators to define the match criteria for Dynamic
Address Groups on Panorama, the boolean operators do not function
properly. The member IP addresses are not included in the address
group as expected. |
PAN-102140 | Extended Authentication (X-Auth) clients
intermittently fail to establish an IPSec tunnel to GlobalProtect
gateways. |
PAN-101819 | The Panorama Controller does not display
all commit-all jobs for Panorama Nodes
(Panorama Interconnect Tasks |
PAN-101688 | ( Panorama plugins ) The IP address-to-tag
mapping information registered on a firewall or virtual system is
not deleted when you remove the firewall or virtual system from
a Device Group.Workaround: Log in to the CLI on the
firewall and enter the following command to unregister the IP address-to-tag
mappings: debug object registered-ip clear all . |
PAN-100686 | An invalid public key is intermittently
applied to the administrator account when deploying a VM-Series
firewall in Google Cloud using the Google web interface. Workaround: The
administrator must log in to the firewall via SSH with a valid private
key using the ssh -i private-key-file admin@VM command.
Then, from the CLI, remove the invalid public key and add a password
for the admin Profile using the following configuration commands
from the CLI to enable successful commits:
|
PAN-100244 | There is a rare issue where a failed commit
or commit validation followed by a non-user-committed event (such
as an FQDN refresh, an external dynamic list refresh, or an antivirus
update) results in an unexpected change to the configuration that
causes the firewall to drop traffic. Workaround: Perform
a successful commit immediately after you experience this issue.
Alternatively, reload an earlier successfully-committed configuration
and manually refresh the FQDN list. |
PAN-100154 | ( PAN-OS 8.1.3 and later PAN-OS 8.1 releases
only ) The default static route always becomes the active route
and takes precedence over a DHCP auto-created default route that
is pointing to the same gateway regardless of the metrics or order
of installation. Thus, when the system has both a DHCP auto-created
default route and a manually configured default static route pointing
to the same gateway, the firewall always installs the default static
route in the FIB.Workaround: Set the Default
Route Metric in the web interface DHCP Client configuration
(Network Interfaces {Ethernet | VLAN} <interface> IPv4 |
PAN-99924 | Fixed an issue where the Panorama management
server web and command line interface (CLI) stopped responding after
a partial configuration load ( Panorama Setup Operations |
PAN-99483 | ( PA-5250, PA-5260, and PA-5280 firewalls
only ) When you deploy the firewall in a network that uses Dynamic
IP and Port (DIPP) NAT translation with PPTP, client systems are
limited to using a translated IP address-and-port pair for only
one connection. This issue occurs because the PPTP protocol uses
a TCP signaling (control) protocol that exchanges data using Generic
Routing Encapsulation (GRE) version 1 and the hardware cannot correlate
the call-id in the GRE version 1 header with the correct dataplane
(the one that owns the predict session of GRE). |
PAN-99084 | ( HA configurations running PAN-OS 8.0.9
or a later PAN-OS release ) If you disable the HA configuration
sync option (enabled by default), User-ID data does not sync as
expected between HA peers.Workaround: Re-Enable
Config Sync (Device High Availability General Setup settings |
PAN-98735 | Upgrading a Panorama management server on
Microsoft Azure from PAN-OS 8.1.0 to PAN-OS 8.1.1 or PAN-OS 8.1.2
results in an autocommit failure. Workaround: Before
you upgrade to PAN-OS 8.1.1 or PAN-OS 8.1.2, export your Panorama
8.1.0 configuration. Then upgrade the Panorama management server
and, when finished, import your exported configuration.Alternatively,
you can export the Panorama 8.1.0 configuration, deploy a new instance
of Panorama using the 8.1.2 image on the Azure marketplace, and
then import and reload the exported configuration. If
you decide to launch a new Panorama 8.1.2 VM through the Azure marketplace,
the web interface will display the image as PAN-OS8.1.2-h4 . |
PAN-97848 | Panorama on KVM deploys in Legacy mode instead
of Management Only mode even when meeting the minimum resource requirements for
Management Only mode. Workaround: After you successfully
deploy Panorama on KVM, change to Management Only mode. |
PAN-97757 | GlobalProtect authentication fails with
an Invalid username/password error
(because the user is not found in Allow List )
after you enable GlobalProtect authentication cookies and add a RADIUS
group to the Allow List of the authentication
profile used to authenticate to GlobalProtect.Workaround: Disable
GlobalProtect authentication cookies. Alternatively, disable (clear) Retrieve
user group from RADIUS in the authentication profile
and configure group mapping from Active Directory (AD) through LDAP. |
PAN-97561 | Panorama appliances running PAN-OS 8.1.2
cannot connect to the Logging Service:
|
PAN-97524 | ( Panorama management server only )
The Security Zone and Virtual System columns (Network tab)
display None after a Device Group and Template
administrator with read-only privileges performs a context switch. |
PAN-96985 | The request shutdown system command
does not shut down the Panorama management server. |
PAN-96960 | You cannot restart or shutdown a Panorama
on KVM from the Virtual-manager console or virsch CLI. |
PAN-96813 | The GlobalProtect gateway ignores the Enable
X-Auth Support setting when you enable or disable it
through the firewall web interface (Network GlobalProtect Gateways <gateway> Agent Tunnel Settings Workaround: Enable
or disable X-Auth support by running the set network tunnel global-protect-gateway configuration
mode CLI command.<gateway> ipsec third-party-client rekey-noauth {yes| no} |
PAN-96734 | The configuration daemon (configd)
stops responding during a partial revert operation when reverting
an interface configuration. |
PAN-96587 | PA-7000 Series and PA-5200 Series firewalls
intermittently fail to forward logs to Log Collectors or the Logging
Service due to DNS resolution failure for the FQDNs of those log
receivers. Workaround: On the firewall, commit a configuration
change or run the debug software restart process log-receiver CLI
command. |
PAN-96572 | After end users successfully authenticate
for access to a service or application, their web browsers briefly
display a page indicating that authentication completed and then
they are redirected to an unknown URL that the user did not specify. |
PAN-96446 | A firewall that is not included in a Collector
Group fails to generate a system log if logs are dropped when forwarded
to a Panorama management server that is running in Management Only
mode. |
PAN-96113 | In a deployment where the firewall connects
to a Border Gateway Protocol (BGP) peer that advertises a route
for which the next hop is not in the same subnetwork as the BGP
peer interface, the show routing protocol bgp rib-out CLI
command does not display advertised routes that the firewall sent
to the BGP peer.Workaround: Move the next hop to the
same subnetwork as the BGP peer interface. |
PAN-95999 | Firewalls in an HA active/active configuration
with a default session setup and owner configuration drop packets
in a GlobalProtect VPN tunnel that uses a floating IP address. |
PAN-95895 | Firewalls that collect port-to-username
mappings from Terminal Services agents doesn't enforce user-based
policies correctly because the dataplane has incorrect primary-to-alternative-username mappings
even after you clear the User-ID cache. |
PAN-95773 | On VM-Series firewalls that have Data Plane
Development Kit (DPDK) enabled and that use the i40e network interface
card (NIC), the show session info CLI command
displays an inaccurate throughput and packet rate.Workaround: Disable
DPDK by running the set system setting dpdk-pkt-io off CLI
command. |
PAN-95736 | The mprelay process stops responding
when a commit occurs while the firewall is identifying flows that
need a NetFlow update. |
PAN-95717 | After 30,000 or more end users log in to
the GlobalProtect gateway within a two- to three-hour period, the
firewall web interface responds slowly, commits take longer than
expected or intermittently fail, and Tech Support File generation
times out and fails. |
PAN-95602 | In a deployment where a Log Collector connects
to Panorama management servers in an HA configuration, after you
switch the Log Collector appliance to Panorama mode, commit operations
fail on the appliance. Workaround: Remove the following
node from the running-config.xml file on the Log Collector before
switching it to Panorama mode: devices/entry[@name='localhost.localdomain']/deviceconfig/system/panorama-server-2 . |
PAN-95513 This issue is
now resolved. See PAN-OS 8.1.2 Addressed Issues; fix
requires the VMware NSX 2.0.4 or later plugin. | On the Panorama management server, selecting
additional target firewalls for a shared policy rule clears any
existing firewall selections for that rule ( Panorama Policies <policy_type> {Pre Rules | Post Rules | Default Rules} Target |
PAN-95511 | The name for an address object, address
group, or an external dynamic list must be unique. Duplicate names
for these objects can result in unexpected behavior when you reference
the object in a policy rule. |
PAN-95445 This issue is
now resolved. See PAN-OS 8.1.2 Addressed Issues; fix
requires the VMware NSX 2.0.4 or later plugin. | VM-Series firewalls for NSX and firewalls
in an NSX notify group ( Panorama VMware NSX Notify Group |
PAN-95443 | A VM-Series firewall on KVM in DPDK mode
doesn't receive traffic after you configure it to use the i40e single-root
input/output virtualization (SR-IOV) virtual function (VF). |
PAN-95197 | Mobile endpoints that use GPRS Tunneling
Protocol (GTP) lose traffic and have to reconnect because the firewall
drops the response message that a Gateway GPRS support node (GGSN)
sends for a second Packet Data Protocol (PDP) context update. |
PAN-95028 | For administrator accounts that you created
in PAN-OS 8.0.8 and earlier releases, the firewall does not apply
password profile settings ( Device Password Profiles |
PAN-94966 | After you delete disconnected and connected
Terminal Server (TS) agents in the same operation, the firewall
still displays the IP address-to-port-user mappings ( showuser ip-port-user-mapping CLI
command) for the disconnected TS agents you deleted (Device User Identification Terminal Services Agents Workaround: Do
not delete both disconnected and connected TS agents in the same
operation. |
PAN-94917 | On Panorama Log Collectors, the show system masterkey-properties CLI
command does not display the master key lifetime and reminder settings. |
PAN-94864 | A firewall receiving IP addresses via DHCP
fails to resolve FQDN objects to an IP address. |
PAN-94853 | Mobile endpoints that use GPRS Tunneling
Protocol (GTP) lose GTP-U traffic because the firewall drops all
GTP-U packets as packets without sessions after receiving two GTP
requests with the same tunnel endpoint identifiers (TEIDs) and IP
addresses. |
PAN-94846 | When DPDK is enabled on the VM-Series firewall
with i40e virtual function (VF) driver, the VF does not detect the
link status of the physical link. The VF link status remains up,
regardless of changes to the physical link state. |
PAN-94777 | A 500 Internal Server error
occurs for traffic that matches a Security policy rule with a URL
Filtering profile that specifies a Continue action (Objects Security Profiles URL Filtering Workaround: Reboot
the firewall. |
PAN-94452 | The firewall records GPRS Tunneling Protocol
(GTP) packets multiple times in firewall-stage packet captures (PCAPs). |
PAN-94402 | Upgrading firewalls from PAN-OS 8.0 to 8.1
causes the loss of user mapping information and therefore disrupts
user-based policies in the following HA configurations:
In both configurations, whichever firewall
is missing user mapping information also cannot collect new user
mappings through the PAN-OS XML API until you finish upgrading both
HA peers. |
PAN-94382 | On the Panorama management server, the Task
Manager displays Completed status immediately
after you initiate a push operation to firewalls (Commit
all ) even though the push operation is still in progress. |
PAN-94290 | ( HA active/active configuration only )
Fragmented packets are dropped when traversing a firewall. |
PAN-94278 | A Panorama Collector Group forwards Threat
and WildFire Submission logs to the wrong external server after
you configure match list profiles with the same name for both log
types ( Panorama Collector Groups <Collector_Group> Collector Log Forwarding {Threat
| WildFire} <match_list_profile> Workaround: Configure
match list profiles with different names for Threat and WildFire
Submission logs. |
PAN-94236 | When the file-forwarding queue limit is
reached, additional files fail to upload to the WildFire cloud.
However, these files are included in the WildFire log with a status
of offset mismatch . |
PAN-94187 | The firewall does not apply tag-based matching
rules for dynamic address groups unless you enclose the tag names
with single quotes ('<tag_name>') in the matching rules ( Objects Address Groups <address_group> |
PAN-94167 | Firewalls randomly retain IP address-to-username
mappings even after receiving information via User-ID Redistribution
that the mapping was deleted or expired. |
PAN-94135 | Device monitoring does not work on the Panorama
management server. Workaround: To enable Panorama to
receive device monitoring information from firewalls running PAN-OS
8.1, run the monitoring cfg-send device <device_serial_number> CLI
command on Panorama. |
PAN-94023 | The request system external-list show type ip name CLI
command does not display external dynamic list entries after you
restart the management server (mgmtsrvr) process.<EDL_name> |
PAN-93968 | The firewall and Panorama web interfaces
display vulnerability threat IDs that are not available in PAN-OS
8.1 releases ( Objects Security
Profiles Vulnerability Protection <profile> Exceptions |
PAN-93937 | The management server process (mgmtsrvr)
on the firewall restarts whenever you push configurations from the
Panorama management server. |
PAN-93930 | When you enable SSL decryption on a firewall,
decryption errors cause a process (all_pktproc) to
stop responding and causes the dataplane to restart. |
PAN-93889 | The Panorama management server generates
high-severity System logs with the message Syslogconnection establishedto server after
you configure Traps log ingestion (Panorama Log Ingestion Profile Panorama Server Profiles Syslog Commit Commit to Panorama Workaround: Disable
Traps log ingestion. |
PAN-93865 | The GlobalProtect agent can't split tunnel
applications based on the destination domain because the Include
Domain and Exclude Domain lists
are not pushed to the agent after the user establishes the GlobalProtect
connection (Network GlobalProtect Gateways <gateway-config> Agent Client Settings <client-setting-config> Split Tunnel Domain and Application In
addition, the GlobalProtect agent can't include applications in
the VPN tunnel based on the application process name because the Include
Client Application Process Name list is not pushed to
the agent after the user establishes the GlobalProtect connection. |
PAN-93864 | The password field does not display in the
GlobalProtect portal login dialog if you attach the certificate
profile to the portal configuration. Workaround: Remove
the certificate profile from the portal configuration or set the
username field to None in the certificate profile. |
PAN-93842 | The logging status of a Panorama
Log Collector deployed on AWS or Azure displays as disconnected
when you configure the ethernet1/1 to ethernet1/5 interfaces for
log collection ( Panorama Managed Collectors Interfaces Workaround: Configure
the management (MGT) interface for log collection. |
PAN-93755 | SSL decrypted traffic fails
after you Enforce Symmetric Return in Policy
Based Forwarding (PBF) policy rules (Policies Policy Based Forwarding |
PAN-93753 | High log rates cause disk space
on PA-200 firewalls to reach maximum capacity. |
PAN-93705 | Configuring additional interfaces
(such as ethernet1/1 or ethernet1/2) on the Panorama management
server in Management Only mode causes an attempt to create a local
Log Collector when you commit the configuration ( Panorama Setup Interfaces |
PAN-93640 | On firewalls, the Log Collector
preference list displays the IP address of a Panorama Log Collector
deployed on AWS as unknown if the interface (ethernet1/1
to ethernet1/5) used for sending logs does not have a public IP
address configured and you push configurations to the Collector
Group.Workaround: Configure the management (MGT) interface
for log collection. |
PAN-93607 | When you configure a VM-500
firewall with an SCTP Protection profile ( Objects Security Profiles SCTP Protection Objects Security
Profile Groups Workaround: Create a new
Security Profile Group and select the SCTP Protection profile from
there. |
PAN-93532 | When you configure a firewall
running PAN-OS 8.1 as an nCipher HSM client, the web interface on
the firewall displays the nCipher server status as Not Authenticated,
even though the HSM state is up ( Device Setup HSM |
PAN-93522 | On firewalls in an HA configuration,
traffic is disrupted because the dataplane restarts unexpectedly
when the firewall concurrently processes HA messages and packets
for the same session. This issue applies to all firewall models
except the PA-200 and VM-50 firewalls. |
PAN-93430 | The firewall web interface
doesn't display Host Information Profile (HIP) information in HIP
Match logs for end users who have Microsoft-supported special characters
in their domains or usernames. |
PAN-93410 | PA-5200 Series firewalls send
logs to the passive or suspended Panorama virtual appliance in Legacy
mode in an HA configuration. Workaround: On the active
Panorama, run the request log-fwd-ctrl device CLI
command, where <firewall_serial_number> action start<firewall_serial_number> is
the serial number of the firewall from which you want to send logs
to Panorama. |
PAN-93318 | Firewall CPU usage reaches 100 per cent
due to SNMP polling for logical interfaces based on updates to the
Link Layer Discovery Protocol (LLDP) MIB (LLDP-V2-MIB.my). Workaround: Restart
the snmpd process by running the debug software restart process snmp CLI
command. Note that restarting snmpd reduces the CPU usage to allow
other operations, but does not prevent the issue from recurring
the next time SNMP polling occurs for the LLDP-V2-MIB.my MIB. |
PAN-93233 | PA-7000 Series firewalls cause slow traffic
over IPSec VPN tunnels when the tunnel session and inner traffic
session are on different dataplanes because the firewalls reorder
TCP segments during IPSec encryption. Workaround: Keep
the tunnel session and inner traffic session on the same dataplane.
To determine which dataplane the tunnel session uses, first run
the show vpn tunnel name <tunnel_name> CLI command
to see the tunnel identifier, and then run the show vpn flow tunnel-id <tunnel_id> command
to display the dataplane (owner cpuid ).
To force the inner traffic session onto the same dataplane, run the set session distribution-policy fixed <dataplane> command. |
PAN-93207 | The firewall reports the incorrect hostname
when responding to SNMP get requests. |
PAN-93193 | The memory-optimized VM-50
Lite intermittently performs slowly and stops processing traffic
when memory utilization is critically high. To prevent this issue,
make sure that you do not:
Workaround: When
the firewall performs slowly, or you see a critical System log for
memory utilization, wait for 5 minutes and then manually reboot
the firewall.Use the Task Manager to verify that you are
not performing memory intensive tasks such as installing dynamic
updates, committing changes or generating reports, at the same time,
on the firewall. |
PAN-93184 This
issue is now resolved. See PAN-OS 8.1.16 Addressed Issues . | ( VM-50 Lite firewalls only )
There are intermittent instances of wild-fire-auth-failed due to ssl error 58 in
the system log due to management plane out-of-memory errors when
the varcvr process attempts to register to the cloud. |
PAN-93090 | When configuring a Google Cloud
Platform (GCP) instance to assign an L3 DHCP interface to ethernet1/2,
the GCP DHCP Server takes 30-50 seconds to respond to the DHCP discover
request. This delay causes DHCP IP assignments to fail. Workaround: To
bypass the need to wait for the DHCP response, set the firewall
interface to match the static IP address that GCP assigned to the
network interface at creation. In the GCP console, this address is
in the “Primary internal IP” column. |
PAN-93072 | For hardware firewalls that
are decrypting SSL traffic, multiple commits in a short period of
time can cause the firewall to become unresponsive. This issue applies
only to a hardware firewall with SSL decryption enabled; it does
not apply to virtual firewalls. |
PAN-93005 | The firewall generates System logs with
high severity for Dataplane under severe load conditions
that do not affect traffic. |
PAN-92892 | ( VM-50 Lite firewalls only ) There
are intermittent instances of Failed to back up PAN-DB in
the system log due to management plane out-of-memory errors when
the devsrvr process attempts to run an md5 checksum. |
PAN-92858 | The Panorama management server
cannot generate reports, and the ACC page intermittently becomes
unresponsive when too many heartbeats are missed because report
IDs greater than 65535 are never cleared. |
PAN-92678 | On Panorama management servers in an HA
configuration, after failover causes the secondary HA peer to become
active, it fails to deploy scheduled dynamic updates to Log Collectors
and firewalls. Workaround: Manually deploy the dynamic
updates (Panorama Device
Deployment Dynamic Updates |
PAN-92604 | A Panorama Collector Group does not forward
logs to some external servers after you configure multiple server
profiles ( Panorama Collector
Groups <Collector_Group> Collector Log Forwarding |
PAN-92564 | A small percentage of writable third-party
SFP transceivers (not purchased from Palo Alto Networks®) can stop
working or experience other issues after you upgrade the firewall
to which the SFPs are connected to a PAN-OS 8.0 or PAN-OS 8.1 release.
If your firewall uses third-party SFPs, Palo Alto Networks recommends
that you do not upgrade to a PAN-OS 8.0 or PAN-OS 8.1 release until
we release maintenance releases that address this issue. Additionally,
after we provide releases with this fix and you begin the upgrade
process, you must not reboot the firewall after you download and
install the PAN-OS 8.0 or PAN-OS 8.1 base image until after you
download and install a maintenance release with this fix. For
additional details, upgrade considerations, and instructions for upgrading
your firewalls, refer to the PAN-OS 8.0 upgrade information or the PAN-OS 8.1 upgrade information, as appropriate. |
PAN-92487 | Enabling jumbo frames ( Device Setup Session
|
PAN-92366 | PA-5200 Series firewalls in an active/passive
HA configuration drop Bidirectional Forwarding Detection (BFD) sessions
when the passive firewall is in an initialization state after you
reboot it. Workaround: On the passive firewall, set
the Passive Link State to Shutdown (Device High Availability General Active/Passive Settings |
PAN-92334 | ( PAN-OS 8.1.1 through PAN-OS 8.1.3 only )
The firewall fails to forward correlation events if you do not first
configure a log forwarding profile for correlated events.Workaround: Configure
log forwarding for correlated events (Device Log Settings Correlation |
PAN-92163 | Firewalls in an active/passive HA configuration
take longer than expected to fail over after you configure them
to redistribute routes between an interior gateway protocol (IGP)
and Border Gateway Protocol (BGP). |
PAN-92155 | You cannot configure an IP
address using templates for HA2 ( Device High Availability Data Link (HA2) Workaround: Configure HA2 in the
CLI using the following commands:
|
PAN-92152 | The firewall web interface displays a blank Device Licenses |
PAN-92149 | On PA-3250 and PA-3260 firewalls, the hardware
signature match engine is disabled and the PAN-OS software performs
signature matching instead, resulting in a ten percent degradation
in threat detection performance. |
PAN-92105 | Panorama Log Collectors do not receive some
firewall logs and take longer than expected to receive all logs
when the Collector Group has spaces in its name. Workaround: Configure
Collector Group names without spaces. |
PAN-92017 | Log Collectors that belong
to a collector group with a space in its name fail to fully connect
to one another, which affects log visibility and logging performance. Workaround: Configure
Collector Group names without spaces. |
PAN-91946 | The Panorama management server
intermittently does not refresh data about the health of managed
firewalls ( Panorama Managed Devices Health |
PAN-91809 | After you reboot the VM-Series
firewall for Azure, some interfaces configured as DHCP clients intermittently
do not receive DHCP-assigned IP addresses. Workaround: First,
configure static IP addresses on the affected interfaces on the
firewall and commit the change. Then enable DHCP on the same interfaces
and commit again. When the commit finishes, the interfaces will
receive DHCP-assigned IP addresses. |
PAN-91802 | On a VM-Series firewall, the clear
session all CLI command does not clear GTP sessions. |
PAN-91776 | End users cannot authenticate to GlobalProtect
after you specify a User Domain with Microsoft-supported
symbols such as the dollar symbol ($) in the authentication profile
(Device Authentication Profile |
PAN-91689 | The Panorama management server
removes address objects and, in the Network tab
settings and NAT policy rules, uses the associated IP address values
without reference to the address objects before pushing configurations
to firewalls. |
PAN-91421 | The firewall dataplane restarts
and results in temporary traffic loss when any process stops responding
while system resource usage is running high. |
PAN-91370 | The firewall drops IPv6 traffic while enforcing
IPv6 bidirectional NAT policy rules because the firewall incorrectly
translates the destination address for a host that resides on a
directly attached network. Workaround: Above the bidirectional
rule in your NAT policy, add an NPTv6 rule that specifies no translation
and matches the IPv6 address configured on the interface that the
firewall uses for traffic to the directly attached network. |
PAN-91238 | An Aggregate Ethernet (AE) interface with
Link Aggregation Control Protocol (LACP) enabled on the firewall
goes down after a cisco-nexus primary virtual port channel (vPC)
switch LACP peer reboots and comes back up. Workaround: Set
a hold time on the AE interface by running the debug l2 ctrl dlacp set hold-time CLI
command. The hold time (default is 15 seconds) specifies the delay
before the firewall processes LACP protocol data units (PDUs) after
LACP-enabled interfaces come up. |
PAN-91088 | On PA-7000 Series firewalls in an HA configuration,
the HA3 link does not come up after you upgrade to PAN-OS 8.0.6
or a later release. Workaround: Unplug and replug the
HSCI modules. |
PAN-91059 | GTP log query filters do not work when you
filter based on a value of unknown for the
message type or GTP interface fields (Monitor Logs GTP |
PAN-90947 | The PA-5250 firewall stops
responding when you configure 2,900 or more DHCP relay agent interfaces. |
PAN-90565 | The firewall does not accept wildcards (*)
as standalone characters to match all IMSI identifiers when you
configure IMSI Filtering in a GTP Protection
profile (Objects Security
Profiles GTP Protection Filtering
Options IMSI Filtering |
PAN-90404 | The Panorama management server
intermittently displays the connections among Log Collectors as
disconnected after pushing configurations to a Collector Group ( Panorama Managed Collectors |
PAN-90347 | On a PA-5000 Series firewall configured
to use an IPSec tunnel containing multiple proxy IDs ( Network IPSec Tunnels <tunnel> Proxy
IDs Workaround: Use Palo Alto
Networks firewalls on both ends of the IPSec tunnel, or use one
proxy ID per tunnel, or use only DP0 for establishing clear text
sessions (run the set session processing-cpu dp0 CLI
command). |
PAN-90301 | The firewall generates false positives during
GTP-in-GTP checks because it detects some DNS-in-GTP packets as
GTP-in-GTP packets ( Objects Security Profiles GTP Protection <GTP_Protection_profile> GTP Inspection GTP-U |
PAN-90096 | Threat logs record incorrect IMSI values
for GTP packets after you enable Packet Capture in
Vulnerability Protection profiles (Objects Security Profiles Vulnerability
Protection <Vulnerability_Protection_profile> Rules |
PAN-89794 | ( PA-3050, PA-3060, PA-5000 Series, PA-5200
Series, and PA-7000 Series firewalls only in an HA configuration )
Multicast sessions intermittently stop forwarding traffic after
HA failover on firewalls with hardware offloading enabled (default).Workaround: Disable
hardware offloading by running the set session off load no CLI
command and clear any multicast sessions that are already offloaded
after failover by running the clear session CLI
command. |
PAN-89402 | On PA-3200 Series firewalls, Ethernet ports
2, 3, 4, 6, 7, 8, and 10 function only at 1,000Mbps (1Gbps); you
should not configure these ports to run at any other speed. (Ethernet
ports 1, 5, 9, 11, and 12 function at 10Mbps, 100Mbps, or 1,000Mbps.) |
PAN-88987 | When you configure a PA-5220
firewall with Dynamic IP and Port (DIPP) NAT, the number of translated
IP addresses cannot exceed 3,000; otherwise, the commit fails. |
PAN-88852 | VM-Series firewalls stop displaying URL
Filtering logs after you configure a URL Filtering profile with
an alert action ( Objects Security
Profiles URL Filtering |
PAN-88649 | After receiving machine account names in UPN
format from a Windows-based User-ID agent, the firewall misidentifies
them as user accounts and overrides usernames with machine names
in IP address-to-username mappings. |
PAN-88487 | The firewall stops enforcing policy after
you manually refresh an External Dynamic List (EDL) that has an
invalid IP address or that resides on an unreachable web server. Workaround: Do
not refresh EDLs that have invalid IP addresses or that reside on
unreachable web servers. |
PAN-88048 | A VM-Series firewall on KVM in MMAP mode
doesn't receive traffic after you configure it to use the i40e single-root
input/output virtualization (SR-IOV) virtual function (VF). |
PAN-87990 | The WF-500 appliance becomes inaccessible
over SSH and becomes stuck in a boot loop after you upgrade from
a release lower than PAN-OS 8.0.1 and try to upgrade to PAN-OS 8.0.5
or a later release. |
PAN-87309 | When you configure a GlobalProtect gateway
to exclude all video streaming traffic from the VPN tunnel, Hulu
and Sling TV traffic cannot be redirected if you do not configure
any security profiles (such as a File Blocking profile) for your
firewall Security policy. |
PAN-86936 | Logs are temporarily unavailable on Panorama
Log Collectors because the vldmgr process restarts. |
PAN-86903 | In rare cases, PA-800 Series firewalls shut
themselves down due to a false over-current measurement. |
PAN-86028 | ( HA active/active configurations only )
Traffic in a GlobalProtect VPN tunnel in SSL mode fails after Layer
7 processing is completed if asymmetric routing is involved. |
PAN-85691 | Authentication policy rules based on multi-factor
authentication (MFA) don't block connections to an MFA vendor when
the MFA server profile specifies a Certificate Profile that has
the wrong certificate authority (CA) certificate. |
PAN-84670 | When you disable decryption for HTTPS traffic,
end users who don't have valid authentication timestamps can access
HTTPS services and applications regardless of Authentication policy. Workaround: Create
a Security policy rule that blocks HTTPS traffic that is not decrypted. |
PAN-84199 | After you disable the Skip Auth
on IKE Rekey option in the GlobalProtect gateway, the
firewall still applies the option: end users with endpoints that
use Extended Authentication (X-Auth) don't have to re-authenticate
when the key used to establish the IPSec tunnel expires (Network GlobalProtect Gateways <gateway> Agent Tunnel Settings |
PAN-83610 | In rare cases, a PA-5200 Series firewall
(with an FE100 network processor) that has session offload enabled
(default) incorrectly resets the UDP checksum of outgoing UDP packets. Workaround: In
PAN-OS 8.0.6 and later releases, you can persistently disable session
offload for only UDP traffic using the set session udp-off load no CLI
command. |
PAN-83598 | VM-Series firewalls cannot monitor more
than 500 virtual machine (VM) information sources ( Device VM Information Sources |
PAN-83236 | The VM-Series firewall on Google
Compute Platform does not publish firewall metrics to Google Stack
Monitoring when you manually configure a DNS server IP address ( Device Setup Services Workaround: The
VM-Series firewall on Google Cloud Platform must use the DNS server
that Google provides. |
PAN-83215 | SSL decryption based on ECDSA
certificates does not work when you import the ECDSA private keys
onto an nCipher nShield hardware security module (HSM). |
PAN-83047 | The firewall displays the following
commit warning when you configure a GlobalProtect gateway with a Tunnel
Interface set to the default tunnel interface
(Network GlobalProtect Gateways <gateway> General Warning: tunnel tunnel ipv6 is not enabled. IPv6 address will be ignored! |
PAN-82987 | The web interface intermittently
becomes unresponsive during ACC queries. |
PAN-82278 | Filtering does not work for Threat logs
when you filter for threat names that contain certain characters:
single quotation ( ’ ), double quotation (” ),
back slash (\ ), forward slash (/ ),
backspace (\b ), form feed (\f ), new
line (\n ), carriage return (\r ),
and tab (\t ). |
PAN-81521 | Endpoints failed to authenticate to GlobalProtect
through Kerberos when you specify an FQDN instead of an IP address
in the Kerberos server profile ( Device Server Profiles Kerberos Workaround: Replace
the FQDN with the IP address in the Kerberos server profile. |
PAN-79423 | Panorama cannot push address group objects
from device groups to managed firewalls when zones specify the objects
in the User Identification ACL include or exclude lists ( Network Zones Share Unused Address and Service Objects with
Devices option is disabled (Panorama Setup Management Panorama Settings |
PAN-79291 | An intermittent issue occurs with ZIP hardware
offloading (hardware-based decompression) where firewalls identify
ZIP files as threats when they are sent over Simple Mail Transfer
Protocol (SMTP). |
PAN-79090 | There is an issue where HIP-related
objects are missing transformation logic for OPSWAT when using a
Panorama 8.1 release to manage firewalls running a PAN-OS 8.0.15
or earlier release. Workaround: Ensure all firewalls
are running a PAN-OS 8.0.16 or later release. |
PAN-77125 | PA-7000 Series, PA-5200 Series,
and PA-3200 Series firewalls configured in tap mode don’t close
offloaded sessions after processing the associated traffic; the
sessions remain open until they time out. Workaround: Configure
the firewalls in virtual wire mode instead of tap mode, or disable
session offloading by running the set session offloadno CLI
command. |
PAN-75457 | ( PAN-OS 8.0.1 and later releases )
In WildFire appliance clusters that have three or more nodes, the
Panorama management server does not support changing node roles.
In a three-node cluster for example, you cannot use Panorama to
configure the worker node as a controller node by adding the HA
and cluster controller configurations, configure an existing controller
node as a worker node by removing the HA configuration, and then
commit and push the configuration. Attempts to change cluster node
roles from Panorama results in a validation error—the commit fails
and the cluster becomes unresponsive. |
PAN-73530 | The firewall does not generate a packet
capture (pcap) when a Data Filtering profile blocks files. |
PAN-73401 | ( PAN-OS 8.0.1 and later releases )
When you import a two-node WildFire appliance cluster into the Panorama
management server, the controller nodes report their state as out-of-sync
if either of the following conditions exist:
Workaround: There are three possible
workarounds to sync the controller nodes:
|
PAN-72861 | When you configure a PA-7000 Series or PA-5200
Series firewall to perform tunnel-in-tunnel inspection, which includes
GRE keep-alive packets ( Policies Tunnel Inspection <tunnel_inspection_rule> Inspection Inspect Options clear session all CLI command
while traffic is traversing a tunnel, the firewall temporarily drops
tunneled packets. |
PAN-71765 | Deactivating a VM-Series firewall from Panorama
completes successfully but the web interface does not update to
indicate that deactivation finished. Workaround: View
deactivation status from Panorama Managed Devices |
PAN-71329 | Local users and user groups in the Shared
location (all virtual systems) are not available to be part of the
user-to-application mapping for GlobalProtect Clientless VPN applications
( Network GlobalProtect Portals <portal> Clientless VPN Applications Workaround: Create
users and user groups in specific virtual systems on firewalls that
have multiple virtual systems. For single virtual systems (like
VM-Series firewalls), users and user groups are created under Shared
and are not configurable for Clientless VPN applications. |
PAN-70906 | If the PAN-OS web interface and the GlobalProtect
portal are enabled on the same IP address, then when a user logs
out of the GlobalProtect portal, the administrative user is also
logged out from the PAN-OS web interface. Workaround: Use
the IP address to access the PAN-OS web interface and an FQDN to
access the GlobalProtect portal. |
PAN-70023 | Authentication using auto-filled credentials
intermittently fails when you access an application using GlobalProtect
Clientless VPN. Workaround: Manually enter the credentials. |
PAN-69505 | When viewing an external dynamic list that
requires client authentication and you Test Source URL ,
the firewall fails to indicate whether it can reach the external
dynamic list server and returns a URL access error (Objects External Dynamic Lists |
PAN-62453 | Entering vSphere maintenance mode on a VM-Series
firewall without first shutting down the Guest OS for the agent
VMs causes the firewall to shut down abruptly, and results in issues
after the firewall is powered on again. Refer to Issue 1332563 in
the VMware Release Notes. Workaround: VM-Series
firewalls are Service Virtual Machines (SVMs) pinned to ESXi hosts
and you should not migrate those firewalls. Before you enter vSphere
maintenance mode, use the VMware tools to ensure a graceful shutdown
of the VM-Series firewall. |
PAN-58872 | The automatic license deactivation workflow
for firewalls with direct internet access does not work. Workaround: Use
the request license deactivate key features CLI
command to Deactivate a Feature License_or_Subscription_Using_the_CLI.
To Deactivate a VM-Series firewall, choose <name> modemanualComplete
Manually (instead of Continue )
and follow the steps to manually deactivate the VM. |
PAN-55825 | Performing an AutoFocus remote search that
is targeted to a firewall or Panorama management server does not
work correctly when the search condition contains a single or double
quotation mark. |
PAN-55437 | HA for VM-Series firewalls does not work
in AWS regions that do not support the signature version 2 signing
process for EC2 API calls. Unsupported regions include AWS EU (Frankfurt)
and Korea (Seoul). |
PAN-55203 | When you change the reporting period for
a scheduled report, such as the SaaS Application Usage PDF report,
the report can have incomplete or no data for the reporting period. Workaround: If
you need to change the reporting period for any scheduled report,
create a new report for the desired time period instead of modifying
the time period on an existing report. |
PAN-54254 | In Traffic logs, the following session end
reasons for Captive Portal or a GlobalProtect SSL VPN tunnel indicated
the incorrect reason for session termination: decrypt-cert-validation, decrypt-unsupport-param,
or decrypt-error. |
PAN-53825 | On the VM-Series for NSX firewall, when
you add or modify an NSX service profile zone on Panorama, you must
perform a Panorama commit and then push device group configurations
with the Include Device and Network Templates option
selected (Commit Commit
and Push |
PAN-53663 | When you open the SaaS Application Usage
report ( Monitor PDF Reports SaaS Application Usage Workaround: Export
only one PDF at a time and wait for that export process to finish
before initiating the next export request. |
PAN-51969 | On the NSX Manager, when you unbind an NSX
Security Group from an NSX Security Policy rule, the dynamic tag
and registered IP address are updated on the Panorama management
server but are not sent to the VM-Series firewalls. Workaround: To
push the Dynamic Address Group updates to the VM-Series firewalls,
you must manually synchronize the configuration with the NSX Manager
(select Panorama VMware
Service Manager NSX
Config-Sync ). |
PAN-51952 | If a security group overlap occurs in an
NSX Security policy where the same security group is weighted with
a higher and a lower priority value, the traffic may be redirected
to the wrong service profile (VM-Series firewall instance). This
issue occurs because an NSX Security policy with a higher weight
does not always take precedence over a policy with a lower weight. Workaround: Make
sure that members that are assigned to a security group are not
overlapping with another Security group and that each security group
is assigned to a unique NSX Security policy rule. This allows you
to ensure that NSX Security policy does not redirect traffic to
the wrong service profile (VM-Series firewall). |
PAN-51870 | When using the CLI to configure the management
interface as a DHCP client, the commit fails if you do not provide
all four DHCP parameters in the command. For a successful commit
when using the set deviceconfig system type dhcp-client configuration
mode CLI command, you must include each of the following parameters: accept-dhcp-domain , accept-dhcp-hostname , send-client-id ,
and send-hostname . |
PAN-51869 | Canceling pending commits does not immediately
remove them from the commit queue. The commits remain in the queue
until PAN-OS dequeues them. |
PAN-51673 | BFD sessions are not established between
two RIP peers when there are no RIP advertisements. Workaround: Enable
RIP on another interface to provide RIP advertisements from a remote
peer. |
PAN-51216 | The NSX Manager fails to redirect traffic
to the VM-Series firewall when you define new Service Profile zones
for NSX on the Panorama management server. This issue occurs intermittently
on the NSX Manager when you define security rules to redirect traffic
to the new service profiles that are available for traffic introspection
and results in the following error: Firewall configuration is not in sync with NSX Manager. Conflict with Service Profile Odd hoston service(Palo Alto Networks NGFW) when binding to host <name> . |
PAN-51122 | For the VM-Series firewall, after you manually
reset a heartbeat failure alarm on the vCenter server to indicate
that the VM-Series firewall is healthy (change color to green),
the vCenter server does not trigger a heartbeat failure alarm again. |
PAN-48456 | IPv6-to-IPv6 Network Prefix Translation (NPTv6)
is not supported when configured on a shared gateway. |
PAN-46344 | When you use a Mac OS Safari browser, client
certificates will not work for Captive Portal authentication. Workaround: On
a Mac OS system, instruct end users to use a different browser (for
example, Mozilla Firefox or Google Chrome). |
PAN-45793 | On a firewall with multiple virtual systems,
when you add an authentication profile to a virtual system and give
the profile the same name as an authentication sequence in Shared,
reference errors occur. The same errors occur if the profile is
in Shared and the sequence with the same name is in a virtual system. Workaround: When
creating authentication profiles and sequences, always enter unique
names, regardless of their location. For existing authentication
profiles and sequences with similar names, rename the ones that
are currently assigned to configurations (such as a GlobalProtect
gateway) to ensure uniqueness. |
PAN-43000 | Vulnerability detection of SSLv3 fails when
SSL decryption is enabled. This occurs when you attach a Vulnerability
Protection profile (that detects SSLv3—CVE-2014-3566) to a Security
policy rule and that Security policy rule and a Decryption policy
rule are configured on the same virtual system in the same zone.
After performing SSL decryption, the firewall sees decrypted data
and no longer sees the SSL version number. In this case, the SSLv3
vulnerability is not identified. Workaround: PAN-OS
7.0 introduced enhancements to SSL Decryption that enable
you to prohibit the inherently weaker SSL/TLS versions, which are
more vulnerable to attacks. For example, you can use a Decryption
Profile to enforce a minimum protocol version of TLS 1.2 or select Block
sessions with unsupported versions to disallow unsupported
protocol versions (Objects Decryption Profile SSL Decryption {SSL Forward Proxy | SSL Inbound Inspection} |
PAN-41558 | When you use a firewall loopback interface
as a GlobalProtect gateway interface, traffic is not routed correctly
for third-party IPSec clients, such as StrongSwan. Workaround: Use
a physical firewall interface instead of a loopback firewall interface
as the GlobalProtect gateway interface for third-party IPSec clients.
Alternatively, configure the loopback interface that is used as
the GlobalProtect gateway to be in the same zone as the physical
ingress interface for third-party IPSec traffic. |
PAN-40130 | In the WildFire Submissions logs, the email
recipient address is not correctly mapped to a username after you
push LDAP group mappings to the firewall from a Panorama template. |
PAN-40079 | The VM-Series firewall on KVM, for all supported
Linux distributions, does not support the Broadcom network adapters
for PCI pass-through functionality. |
PAN-40075 | The VM-Series firewall on KVM running on Ubuntu
12.04 LTS does not support PCI pass-through functionality. |
PAN-39728 | The URL logging rate is reduced after you enable
HTTP header logging in the URL Filtering profile ( Objects Security Profiles URL Filtering <URL_Filtering_profile> Settings |
PAN-39636 | Regardless of the Time Frame you
specify for a scheduled custom report on a Panorama M-Series appliance,
the earliest possible start date for the report data is effectively
the date when you configured the report (Monitor Manage Custom Reports Time Frame to Last 30
Days , the report that Panorama generates on the 16th
will include only data from the 15th onward. This issue applies only
to scheduled reports; on-demand reports include all data within the
specified Time Frame .Workaround: To
generate an on-demand report, click Run Now when
you configure the custom report. |
PAN-39501 | The firewall does not clear unused NAT IP
address pools after a single commit, so a commit fails when the
combined cache of unused pools, existing used pools, and new pools
exceeds the memory limit. Workaround: Commit a second
time, which clears the old pool allocation. |
PAN-38255 | When you perform a factory reset on a Panorama
virtual appliance and configure the serial number, logging does
not work until you reboot Panorama or execute the debug software restart process management-server CLI
command. |
PAN-37511 | Due to a limitation related to the Ethernet
chip driving the SFP+ ports, PA-5050 and PA-5060 firewalls will
not perform link fault signaling as standardized when a fiber in
the fiber pair is cut or disconnected. |
PAN-37177 | After deploying the VM-Series firewall and
it connects to the Panorama management server, you must commit to
Panorama ( Commit Commit
to Panorama Panorama Managed
Devices Furthermore, when Panorama
has an HA configuration, the VM-Series firewall is not added to
the passive Panorama peer until the active Panorama peer synchronizes
the configuration. During this time, the passive Panorama peer logs
a critical message: vm-cfg: failed to process registration from svm device.vm-state: active .
The passive peer logs this message until you commit the changes
on the active Panorama, which then initiates synchronization between
the Panorama HA peers and the VM-Series firewall is added to the
passive Panorama peer.Workaround: To reconnect to
the managed firewalls, commit your changes to Panorama. In an HA
deployment, the commit initiates the synchronization of the running
configuration between the Panorama HA peers. |
PAN-36730 | When deleting the VM-Series deployment,
all VMs are deleted successfully; however, sometimes a few instances
still remain in the datastore. Workaround: Manually
delete the VM-Series firewalls from the datastore. |
PAN-36728 | ( VM-Series for NSX firewalls only )
In some scenarios, traffic from newly added guests or virtual machines
is not steered to the VM-Series firewall even when the guests belong
to a Security Group and are attached to a Security Policy that redirects
traffic to the VM-Series firewall.Workaround: Reapply
the Security Policy on the NSX Manager. |
PAN-36727 | The VM-Series firewall fails to deploy and
displays the following error message: Invalid OVF Format in Agent Configuration. Workaround: Use
the following command to restart the ESX Agent Manager process on
the vCenter Server: /etc/init.d/vmware-vpxd tomcat-restart . |
PAN-36433 | When HA failover occurs on Panorama at the
time that the NSX Manager is deploying the VM-Series NSX edition
firewall, the licensing process fails with the following error: vm-cfg:failed to process registration from svm device. vm-state: active .Workaround: Delete
the unlicensed instance of the VM-Series firewall on each ESXi host
and then redeploy the Palo Alto Networks next-generation firewall
service from the NSX Manager. |
PAN-36394 | ( VM-Series for NSX firewalls only )
When the datastore is migrated for a guest, all current sessions
are no longer steered to the VM-Series firewall. However, all new
sessions are secured properly. |
PAN-36393 | When deploying the VM-Series firewall, the
Task Console displays Error while enabling agent. Cannot complete the operation. See the event log for details. This
error displays even on a successful deployment. You can ignore the
message if the VM-Series firewall is successfully deployed. |
PAN-36088 | When an ESXi host is rebooted or shut down,
the functional status of the guests is not updated. Because the
IP address is not updated, the dynamic tags do not accurately reflect
the functional state of the guests that are unavailable. |
PAN-36049 | The VMware vCenter Server/vmtools displays
the IP address for a guest incorrectly after VLAN tags are added
to an Ethernet port. The display does not accurately show the IP
addresses associated with the tagged Ethernet port and the untagged
Ethernet port. This issue occurs on some Linux OS versions such
as Ubuntu. |
PAN-35903 | When you edit a traffic introspection rule
(to steer traffic to the VM-Series firewall) on the NSX Manager,
an invalid (tcp) port number error or invalid (udp) port number error displays
when you remove the destination (TCP or UDP) port.Workaround: Delete
the rule and add a new one. |
PAN-35875 | When defining traffic introspection rules
(to steer traffic to the VM-Series firewall) on the NSX Manager,
either the source or the destination for the rule must reference
the name of a Security Group; you cannot create a rule from any
to any Security Group. Workaround: To redirect all
traffic to the VM-Series firewall, you must create a Security Group
that includes all the guests in the cluster. Then you can define
a security policy that redirects traffic from and to the cluster
so that the firewall can inspect and enforce policy on the east-west
traffic. |
PAN-35874 | Duplicate packets are steered to the VM-Series
firewall after you enable distributed vSwitch for steering in promiscuous
mode. Workaround: Disable promiscuous mode. |
PAN-34966 | On a VM-Series NSX edition firewall, when
adding or removing a Security Group (Container) that is bound to
a Security Policy, the Panorama management server does not get a
dynamic update of the added or removed Security Group. Workaround: Select Panorama VMware Service Manager Synchronize Dynamic Objects to initiate
a manual synchronization to get the latest update. |
PAN-34855 | On a VM-Series NSX edition firewall, Dynamic
Tags (update) do not reflect the actual IP address set on the guest.
This issue occurs because the vCenter Server cannot accurately view
the IP address of the guest. |
PAN-31832 | The following issues apply when configuring
a firewall to use a hardware security module (HSM):
|
PAN-25046 | Firewalls store SSH host keys used for SCP
log exports in the known hosts file. In an HA deployment, PAN-OS
synchronizes the SCP log export configuration between the firewall
HA peers ( Device Scheduled
Log Export Workaround: Log
in to each peer in HA, select Device Scheduled Log Export <log_export_configuration> Test SCP server connection to confirm
the host key so that SCP log forwarding continues to work after
a failover. |
PAN-23732 | After you use a Panorama template to push a
log export schedule that specifies an SCP server as the destination
( Device Scheduled
Log Export Test SCP server connection .
The connection is not established until the firewall accepts the
host key for the SCP server. |