PAN-OS 9.0.0 Addressed Issues

Fixed an issue where WF-500 appliances displayed the wrong WildFire® content version (show system info) after a WildFire content update.

A security related fix was made to limit the amount of information returned from an API call error message.

A security-related fix was made to address an issue where you were unable to retrieve GlobalProtect™ cloud service threat packet captures from the Logging Service on Panorama™ M-Series and virtual appliances.

Fixed an issue where the firewall did not remove the 4 Byte AS Format number when Remove Private AS is enabled.

Fixed an issue on Panorama M-Series and virtual appliances where a process (configd) stopped responding during a local commit.

Fixed an issue where an API call did not return the details of the security policy when you added a service group.

Fixed an issue where Wildfire signature version information was no longer displayed after you activated a GlobalProtect client.

Fixed an issue where device administrators were unable to manually upload signature files (DeviceDynamic Updates) and the firewall displayed the following error message: Youneed superuser privileges to do that.

Fixed an issue where the firewall revealed password hashes in the web interface when changing administrator passwords.

Fixed an intermittent issue where a processor cache memory corruption caused a reload when the firewall freed packets from the buffer.

Fixed an issue on a firewall in a high availability (HA) active/passive configuration where the Panorama management server enabled the administrator to clone a rule on the passive firewall.

Fixed an issue with multiple or overlapping custom URL categories where traffic matched the incorrect Security policy rule when the custom URL category was used in a Security policy rule with a URL filtering profile.

Fixed an issue where the Cancel option was removed to prevent access when you Require Password Change on First Login (DeviceSetupManagement).

Fixed an issue where a process (routed) stopped responding when an incomplete command ran in the XML API.

A security-related fix was made to address an issue with the wf_curl.log file in WF-500 appliances (WildFire).

Fixed an issue where AUX ports remained in Down state after you upgraded to PAN-OS^® 8.1.7.

Fixed as issue on a firewall in an HA active/passive configuration where OSPF and BGP running on an Aggregate Ethernet (AE) with LACP enabled took longer than expected after a failover.

Fixed an issue where the dataplane processor caused memory loss in the packet buffer pool.

Fixed an issue where a process (brdagent) printed QoS information messages in the brdagent.log file, which caused a missed heartbeat and the firewall to restart.

Fixed an issue where certificate imports failed when you used a backslash ( \ ) character in a password to export certificates.

(PA-800 Series firewalls only) Fixed an issue on a firewall in an HA active/passive configuration where the HA failover took longer than expected.

Fixed an issue on Panorama M-Series and virtual appliances where the configd.log file displayed schema error messages after you created an administrator role with context switch UI permissions enabled.

Fixed an issue on a firewall in an HA active/passive configuration where the passive firewall ran a configuration out of sync after a restart.

Fixed an issue where administrators could not successfully add conditional advertisements (NetworkVirtual Routers<virtual-router>BGPConditional Adv) for BGP routing tables (changes were lost after commit).

Fixed an issue where the IPSec tunnel restart (NetworkIPSec TunnelsIKE Info) did not display properly on the web interface.

Fixed an issue on a firewall in an HA active/passive configuration where the suspended firewall processed traffic.

Fixed an issue where scheduled log exports failed on nonstandard ports.

Fixed an issue on a firewall where the Global Find for IPSec tunnels displayed incorrect search results.

Fixed an issue where special characters contained in the CLI comment field caused the process (devsrvr) to stop responding.

Fixed an issue where you were unable to filter Address Groups (ObjectsAddress Groups) by an address object name.

Fixed an issue on a PA-3000 Series firewall where multiple (all_pktproc) processes failed and caused the dataplane to stop responding.

Fixed an issue on Panorama M-Series and virtual appliances where disk quota edits failed and displayed the following error message: quota-settings -> disk-quota is invalid.

Fixed an issue on a firewall where the DNS resolution routed through the dataplane and configured with a service route, stopped responding when the management interface was not configured.

Fixed an issue where Referer was spelled incorrectly in the HTTP Headers section of the Detailed Log View (MonitorURL Filtering).

Fixed an issue where SNMP queries displayed incorrect values.

Fixed an issue where the scheduled nightly custom report was not generated or emailed as expected.

Fixed an intermittent issue where the session ID did not clear when the session ID is set to 0.

Fixed an issue where administrators were allowed to create tunnel interfaces from the template stack.

Fixed an issue where the object identifier (OID) ifAdminStatus incorrectly displayed up when configured to down.

Fixed an issue Panorama M-Series and virtual appliances where duplicate entries in BGP redistribution configurations were not verified, which caused commits to fail.

Fixed an issue where the sub-interfaces and the configurations were deleted when you tried to override the subinterface of a template stack.

Fixed an issue where the default static route always became the active route and took precedence over a DHCP auto-created default route that was pointing to the same gateway regardless of the metrics or order of installation. With this fix, the firewall no longer installs the default static route in the FIB when the system has both a DHCP auto-created default route and a manually configured default static route pointing to the same gateway.

Fixed an issue on Panorama M-Series and virtual appliances where Push Scope Selection (CommitPush to Devices) selected firewalls not in the hierarchy of the firewall you selected.

Fixed an issue on Panorama where the progress bar in the web interface stopped responding and did not display any status after sending a commit or activating an auth code even though the task completed successfully.

A security-related fix was made to address a denial of service (DoS) vulnerability in PAN-OS Linux Kernel (CVE-2017-8890).

Fixed an issue on a firewall in an HA active/passive configuration where the User-ID™ process stopped responding on the passive firewall when the system was managing a high number of (more than 30,000) active users.

"Virtual and M-Series Panorama appliances and Log Collectors only) Fixed an issue where a Log Collector received logs destined for closed Elasticsearch (ES) indices, which caused indices to return failure messages and, when the issue persisted for more than a few hours, caused Log Collectors to disconnect and reconnect repeatedly when attempting (and failing) to process the re-queued logs.

Fixed an intermittent issue where the firewall allowed traffic based on an unmatched rule after a session rematch is triggered.

Fixed an issue where adding more than eight Log Collectors to a collector group caused the configuration (configd) process to stop responding.

Fixed an issue where if you deployed Panorama on KVM, it deployed in Legacy mode instead of Management Only mode even when meeting the minimum resource requirements for Management Only mode.

Fixed an issue where the loopback IP address redistributed to the Local RIB table instead of the Adj-RIBs-out table.

Fixed an issue on a firewall where TCP reset packets were sent even after you set the vulnerability profile action to drop the packets.

Fixed an issue where a process (useridd) stopped responding due to the syslog server messages not parsing with field identifiers.

Fixed an issue where VM-Series firewalls for NSX and firewalls in an NSX notify group (PanoramaVMware NSXNotify Group) briefly dropped traffic while receiving dynamic address updates after the primary Panorama in a high availability (HA) configuration failed over.

Fixed an issue where the dataplane did not get a dynamic IP address assigned because the process (routed) did not release it.

Fixed an issue on the firewall and Panorama management server where the web interface became unresponsive because the (cord) process restarted after you configured multiple log forwarding destinations in a single forwarding rule for Correlation logs (DeviceLog Settings).

Fixed an issue on Panorama M-Series and virtual appliances where you were unable to set the MTU (NetworkInterfacesEthernet<Interface>Ethernet InterfaceAdvancedOther Info) value to more than 1460 bytes with Jumbo Frames enabled.

Fixed an issue on Panorama M-Series and virtual appliances where you were unable to type in tunnel zone names in the Tunnel Source Zone (Policies >Pre Rules ><rule-name>InspectionSecurity Options) field.

Fixed an issue on a firewall where an address object FQDN resolution returned the IPv6 DNS record but did not return all associated -- IPv4 and IPv6 -- DNS records.

Fixed an issue where an external dynamic list with an invalid IPv6 address range caused commits to fail.

Fixed an issue where filtering did not work for Threat logs when you filtered for threat names that contained certain characters: single quotation (’), double quotation (”), back slash (\), forward slash (/), backspace (\b), form feed (\f), new line (\n), carriage return (\r), and tab (\t).