PAN-OS 9.0.0 Addressed Issues

PAN-OS® 9.0.0 addressed issues.
Issue ID
Description
WF500-4811
Fixed an issue where WF-500 appliances displayed the wrong WildFire® content version (
show system info
) after a WildFire content update.
PAN-109668
A security related fix was made to limit the amount of information returned from an API call error message.
PAN-109124
A security-related fix was made to address an issue where you were unable to retrieve GlobalProtect™ cloud service threat packet captures from the Logging Service on Panorama™ M-Series and virtual appliances.
PAN-109096
Fixed an issue where the firewall did not remove the
4 Byte AS Format
number when
Remove Private AS
is enabled.
PAN-109003
Fixed an issue on Panorama M-Series and virtual appliances where a process (
configd
) stopped responding during a local commit.
PAN-107887
Fixed an issue where an API call did not return the details of the security policy when you added a service group.
PAN-107779
Fixed an issue where Wildfire signature version information was no longer displayed after you activated a GlobalProtect client.
PAN-107117
Fixed an issue where device administrators were unable to manually upload signature files (
Device
Dynamic Updates
) and the firewall displayed the following error message:
Youneed superuser privileges to do that.
PAN-106784
Fixed an issue where the firewall revealed password hashes in the web interface when changing administrator passwords.
PAN-106721
Fixed an intermittent issue where a processor cache memory corruption caused a reload when the firewall freed packets from the buffer.
PAN-106695
Fixed an issue on a firewall in a high availability (HA) active/passive configuration where the Panorama management server enabled the administrator to clone a rule on the passive firewall.
PAN-106181
Fixed an issue where the
Cancel
option was removed to prevent access when you
Require Password Change on First Login
(
Device
Setup
Management
).
PAN-106019
Fixed an issue where a process (
routed
) stopped responding when an incomplete command ran in the XML API.
PAN-105849
A security-related fix was made to address an issue with the
wf_curl.log
file in WF-500 appliances (WildFire).
PAN-105737
Fixed an issue where AUX ports remained in Down state after you upgraded to PAN-OS
®
8.1.7.
PAN-105684
Fixed as issue on a firewall in an HA active/passive configuration where OSPF and BGP running on an Aggregate Ethernet (AE) with LACP enabled took longer than expected after a failover.
PAN-105040
Fixed an issue where the dataplane processor caused memory loss in the packet buffer pool.
PAN-104623
Fixed an issue where a process (
brdagent
) printed QoS information messages in the brdagent.log file, which caused a missed heartbeat and the firewall to restart.
PAN-104616
Fixed an issue where certificate imports failed when you used a backslash (
\
) character in a password to export certificates.
PAN-104578
(
PA-800 Series firewalls only
) Fixed an issue on a firewall in an HA active/passive configuration where the HA failover took longer than expected.
PAN-104572
Fixed an issue on Panorama M-Series and virtual appliances where the configd.log file displayed schema error messages after you created an administrator role with context switch UI permissions enabled.
PAN-104354
Fixed an issue on a firewall in an HA active/passive configuration where the passive firewall ran a configuration out of sync after a restart.
PAN-104078
Fixed an issue where administrators could not successfully add conditional advertisements (
Network
Virtual Routers
<virtual-router>
BGP
Conditional Adv
) for BGP routing tables (changes were lost after commit).
PAN-103863
Fixed an issue where the IPSec tunnel restart (
Network
IPSec Tunnels
IKE Info
) did not display properly on the web interface.
PAN-103857
Fixed an issue on a firewall in an HA active/passive configuration where the suspended firewall processed traffic.
PAN-103615
Fixed an issue where scheduled log exports failed on nonstandard ports.
PAN-103192
Fixed an issue on a firewall where the Global Find for IPSec tunnels displayed incorrect search results.
PAN-103061
Fixed an issue where special characters contained in the CLI comment field caused the process (
devsrvr
) to stop responding.
PAN-103055
Fixed an issue where you were unable to filter Address Groups (
Objects
Address Groups
) by an address object name.
PAN-102779
Fixed an issue on a PA-3000 Series firewall where multiple (
all_pktproc
) processes failed and caused the dataplane to stop responding.
PAN-102526
Fixed an issue on Panorama M-Series and virtual appliances where disk quota edits failed and displayed the following error message:
quota-settings -> disk-quota is invalid
.
PAN-102029
Fixed an issue on a firewall where the DNS resolution routed through the dataplane and configured with a service route, stopped responding when the management interface was not configured.
PAN-101821
Fixed an issue where Referer was spelled incorrectly in the HTTP Headers section of the Detailed Log View (
Monitor
URL Filtering
).
PAN-101451
Fixed an issue where SNMP queries displayed incorrect values.
PAN-101391
Fixed an issue where the scheduled nightly custom report was not generated or emailed as expected.
PAN-101365
Fixed an intermittent issue where the session ID did not clear when the session ID is set to 0.
PAN-101294
Fixed an issue where administrators were allowed to create tunnel interfaces from the template stack.
PAN-101068
Fixed an issue where the object identifier (OID) ifAdminStatus incorrectly displayed
up
when configured to
down
.
PAN-100656
Fixed an issue Panorama M-Series and virtual appliances where duplicate entries in BGP redistribution configurations were not verified, which caused commits to fail.
PAN-100464
Fixed an issue where the sub-interfaces and the configurations were deleted when you tried to override the subinterface of a template stack.
PAN-100154
Fixed an issue where the default static route always became the active route and took precedence over a DHCP auto-created default route that was pointing to the same gateway regardless of the metrics or order of installation. With this fix, the firewall no longer installs the default static route in the FIB when the system has both a DHCP auto-created default route and a manually configured default static route pointing to the same gateway.
PAN-100049
Fixed an issue on Panorama M-Series and virtual appliances where Push Scope Selection (
Commit
Push to Devices
) selected firewalls not in the hierarchy of the firewall you selected.
PAN-99945
Fixed an issue on Panorama where the progress bar in the web interface stopped responding and did not display any status after sending a commit or activating an auth code even though the task completed successfully.
PAN-99640
A security-related fix was made to address a denial of service (DoS) vulnerability in PAN-OS Linux Kernel (CVE-2017-8890).
PAN-99551
Fixed an issue on a firewall in an HA active/passive configuration where the User-ID™ process stopped responding on the passive firewall when the system was managing a high number of (more than 30,000) active users.
PAN-99447
"
Virtual and M-Series Panorama appliances and Log Collectors only
) Fixed an issue where a Log Collector received logs destined for closed Elasticsearch (ES) indices, which caused indices to return failure messages and, when the issue persisted for more than a few hours, caused Log Collectors to disconnect and reconnect repeatedly when attempting (and failing) to process the re-queued logs.
PAN-98130
Fixed an intermittent issue where the firewall allowed traffic based on an unmatched rule after a session rematch is triggered.
PAN-98005
Fixed an issue where adding more than eight Log Collectors to a collector group caused the configuration (
configd
) process to stop responding.
PAN-97848
Fixed an issue where if you deployed Panorama on KVM, it deployed in Legacy mode instead of Management Only mode even when meeting the minimum resource requirements for Management Only mode.
PAN-97417
Fixed an issue where the loopback IP address redistributed to the Local RIB table instead of the Adj-RIBs-out table.
PAN-96344
Fixed an issue on a firewall where TCP reset packets were sent even after you set the vulnerability profile action to drop the packets.
PAN-96297
Fixed an issue where a process (
useridd
) stopped responding due to the syslog server messages not parsing with field identifiers.
PAN-95445
This fix requires the VMware NSX 2.0.4 or a later plugin.
Fixed an issue where VM-Series firewalls for NSX and firewalls in an NSX notify group (
Panorama
VMware NSX
Notify Group
) briefly dropped traffic while receiving dynamic address updates after the primary Panorama in a high availability (HA) configuration failed over.
PAN-94486
Fixed an issue where the dataplane did not get a dynamic IP address assigned because the process (
routed
) did not release it.
PAN-92725
Fixed an issue on the firewall and Panorama management server where the web interface became unresponsive because the (
cord
) process restarted after you configured multiple log forwarding destinations in a single forwarding rule for Correlation logs (
Device
Log Settings
).
PAN-92485
Fixed an issue on Panorama M-Series and virtual appliances where you were unable to set the MTU (
Network
Interfaces
Ethernet
<Interface>
Ethernet Interface
Advanced
Other Info
) value to more than 1460 bytes with Jumbo Frames enabled.
PAN-91930
Fixed an issue on Panorama M-Series and virtual appliances where you were unable to type in tunnel zone names in the Tunnel Source Zone (
Policies >
Pre Rules >
<rule-name>
Inspection
Security Options
) field.
PAN-91499
Fixed an issue on a firewall where an address object FQDN resolution returned the IPv6 DNS record but did not return all associated -- IPv4 and IPv6 -- DNS records.
PAN-91442
Fixed an issue where an external dynamic list with an invalid IPv6 address range caused commits to fail.
PAN-82278
Fixed an issue where filtering did not work for Threat logs when you filtered for threat names that contained certain characters: single quotation (
), double quotation (
), back slash (
\
), forward slash (
/
), backspace (
\b
), form feed (
\f
), new line (
\n
), carriage return (
\r
), and tab (
\t
).
PAN-72861
Fixed an issue where when you configured a PA-5200 Series or PA-7000 Series firewall to perform tunnel-in-tunnel inspection, which includes GRE keep-alive packets (
Policies
Tunnel Inspection
<tunnel_inspection_rule>
Inspection
Inspect Options
), and ran the
clear session all
CLI command while traffic was traversing a tunnel, the firewall temporarily dropped tunneled packets.

Recommended For You