An enhancement was made to provide an option to increase Data Plane Development Kit (DPDK) ring size and DPDK queue number for VM-Series firewalls deployed on ESXi.

Fixed an issue where the IPSec encapsulation sequence was not properly synced to the dataplanes on a high availability (HA) active/passive cluster.

Fixed an issue where the proxy configuration did not get honored, which caused certificate revocation list (CRL) checks from the firewall to fail.

Fixed an issue where traffic logs were not shown due to a thread timeout that was causing the reading of the logs from the dataplane to slow.

Added CLI commands to increase thread limits to reduce task thread exhaustion on a process (configd).

Fixed an issue where packet buffer unavailability caused host-bound sessions to remain in an opening state in the dataplane.

Fixed an intermittent issue where Panorama did not retrieve firewall logs from Cortex Data Lake.

Fixed an issue where certain GPRS tunneling protocol (GTP-U) sessions that could not complete installation still occupied the flow table, which led to higher-than-expected session table usage.

Fixed an issue where a process (genindex.sh) caused the management plane CPU usage to remain high for a longer period of time than expected.

Fixed an issue with URL Filtering where websites that were previously in the malicious category but have since been cleared remained in the malicious category in the dataplane cache. These websites were moved to the benign category only after you manually cleared the cache.

Fixed an issue where the firewall dropped certain GTPv1 Update PDP Context packets.

Fixed an issue where upgrading the capacity license on a VM-Series HA pair resulted in both firewalls going into a non-functional state instead of only the higher capacity license firewall.

(

PA-5200 Series and PA-7000 Series firewalls only

) Fixed an intermittent issue where the firewall dropped packets when two or more GTP packets on the same GTP tunnel were very close to each other.

Fixed an issue where the firewall silently dropped GTPv2-C Delete Session Response packets.

Fixed an issue where the firewall dropped GTP packets with Delete Bearer messages for EBI 6 if they were received within two seconds of receiving the Delete Bearer messages for EBI 5.

Fixed an issue that caused a process (mprelay) to stop responding when committing changes in the Netflow Server Profile configuration (

Device > Server Profiles > Netflow

).

Fixed an issue where the candidate configuration was not updated to the running configuration after a successful commit when the commit was initiated by an API-privileges-only custom role-based administrator.

Fixed an issue where FIB entries were unexpectedly removed due to miscommunication between internal processes.

Fixed an issue where a custom report query from Panorama, which includes new fields not supported in prior releases, triggered a restart of a process (reportd) when Panorama was connected to log collectors running an earlier PAN-OS release.

Fixed an issue where non-superuser administrators with all rights enabled were unable to

Review Policies

or

Review Apps

for downloaded or installed content versions.

Fixed an issue on Panorama where system and configuration logs from dedicated Log Collectors did not display on Panorama appliances in Management Only mode.

Fixed an issue where Panorama stopped showing new logs when

url_category_list

was in the URL payload format of the HTTP(S) server profile used to forward URL logs from the Panorama Log Collector.

Fixed an issue where an API call for correlated events did not return any events .

Fixed an issue where stream control transmission protocol (SCTP) logs for an existing SCTP session still showed old rule information after a policy commit and session rematch.

Fixed an issue where host information profile (HIP) details were not available on Panorama even with a valid and active HIP redistribution configuration.

Fixed an issue where TCP traffic dropped due to TCP sequence checking in an HA active/active configuration where traffic was asymmetric.

A fix was made to address an authentication bypass vulnerability in the GlobalProtect SSL VPN component of PAN-OS that allowed an attacker to bypass all client certificate checks with an invalid certificate. As a result, the attacker was able to authenticate as any user and gain access to restricted VPN network resources when the gateway or portal was configured to rely only on certificate-based authentication (CVE-2020-2050).

Fixed an issue where conversion from Panorama mode to logger mode was enabled even when an administrative user named

admin

did not exist in the configuration, which prevented access to the appliance after conversion.

Fixed an issue where memory usage on a process (useridd) was high, which caused the process to restart on the firewall that was acting as the User-ID redistribution agent. This issue occurred when multiple clients requested IP address-to-user mappings at the same time.

Fixed an issue where Applications and Threats content installation failed on the firewall with the following error message:

Error: Threat database handler failed

.

Fixed an issue on the firewall where memory usage on a process (devsrvr) increased after running the

show object dynamic-address-group all

CLI command.

Fixed an issue where GlobalProtect™ IPSec connections flapped when the peer address to the gateway changed due to NAT.

Fixed an issue where BGP-learned routes were incorrectly populated with a VR error as a next hop.

Fixed an issue where a firewall process (all_pktproc) restarted while processing Session Traversal Utilities for NAT (STUN) over TCP.

Fixed an issue where exporting policies to PDF or CSV files did not include all policies and contained duplicates.

Fixed an issue on Panorama in PAN-DB mode where content updates did not successfully install, which caused the cloud state to degrade.

A fix was made to address a vulnerability in the PAN-OS signature-based threat detection engine that allowed an attacker to evade threat prevention signatures using specifically crafted TCP packets (CVE-2020-1999).

Fixed an issue on an M-600 appliance where the Panorama management server stopped receiving new logs from firewalls because delayed log purging caused log storage on the Log Collectors to reach maximum capacity.

Fixed an issue with the automated correlation engine that caused firewalls to stop generating correlated event logs for the

beacon-heuristics

object (ID 6005).

Fixed an issue on Panorama where a custom administrator with all rights enabled was not able to display the content of the external dynamic list (EDL) on the Panorama web interface.

Fixed an issue where Log Collectors had problems ingesting older logs for previous days received at a high rate.

Fixed an issue where commits failed on the firewall due to memory allocation failure. You can check configuration memory using the

debug dataplane show cfg-memstat statistics

CLI command.

Fixed an issue where random member ports in a link aggregate group failed to join the aggregate group due to the following error:

Link speed mismatch

.

Fixed an issue where authentication stopped working after a commit and a process (authd) exited, which caused other processes to exit.

Fixed an issue where Panorama did not show correct logs filtered with

not

,

leq

, and

geq

.

Fixed an issue where an administrative user using custom admin roles and without access to the

Device

tab was unable to expand the detailed views of

Monitor > Logs

.

Fixed an issue where SSH service restart management did not take effect in the SSH management server profile.

Fixed an issue where the resolution of FQDN for a policy on the web interface did not work as expected if the FQDN contained CAPITAL letters.

Fixed an issue where IP address-to-tag mapping entries had negative time-to-live (TTL) values instead of being removed after expiry.

Fixed an issue where, after rebooting the firewall, the SNMP object identifier (OID) for TCP connections per second (panVsysActiveTcpCps / .1.3.6.1.4.1.25461.2.1.2.3.9.1.6.1) returned 0 until another OID was pulled. Additionally, after a restart of a process (snmpd), if the above OID was called before other OIDs, there was an approximate 10-second delay in populating the data pulled by each OID.

Fixed an issue where a memory leak on a process (useridd) caused multiple processes to restart during device serial number checks.

Fixed an issue where the Host Evasion Threat ID signature did not trigger for the initial session even when the DNS response was received before the session expired.

(

PA-7000 Series firewalls only

) Fixed a rare issue where the firewall rebooted due to a path monitoring failure on the Log Processing Card (LPC).

Fixed an issue where a large number of groups in group mapping caused a process (useridd) to stop responding.

A fix was made to address a vulnerability where the password for a configured system proxy server for a PAN-OS appliance was displayed in cleartext when using the CLI in PAN-OS (CVE-2020-2048).

Fixed an issue where a process (authid) used a large amount of memory due to many incomplete authentication requests, which caused an out-of-memory (OOM) condition.

(

PA-3200 Series firewalls only

) Fixed an issue where the default Dynamic IP and Port (DIPP) NAT oversubscription rate was set to 2.

Fixed an issue where the web interface and the CLI were inaccessible, which caused the following error message to display on the web interface:

Timed out while getting config lock

.

Fixed an issue where dynamic route updates triggered an unintentional refresh of the DHCP client interface IP address, which led to the removal and re-addition of the default route associated with the DHCP client IP address and caused traffic disruption.

Fixed an issue where HIP reports failed to display on either the web interface or the CLI.

Fixed an issue where a large number of groups in group mappings caused a process (useridd) to stop responding.

An enhancement was made to reduce the memory usage of a process (logrcvr) to avoid out-of-memory (OOM) conditions on lower-end platforms.

Fixed an issue where custom role-based admins were able to reset the rule hit counter for disabled device groups.

Fixed an issue where pushing a configuration from a Panorama management server running PAN-OS 9.0 to a firewall running PAN-OS 8.1 produced a HTTP/2 warning. To leverage this fix, update both Panorama and the firewall to PAN-OS 9.0.11 or a later PAN-OS 9.0 release.

Fixed an issue where the dataplane restarted due to a loop in DoS protection source-destination IP address classification.

Fixed an issue where, for users with admin roles, logs for only one device group were displayed due to a query string with multiple device groups.

Fixed a cosmetic issue where misleading App-ID and rule shadowing warnings populated after a commit.

Fixed an intermittent issue where the first response to a SIP INVITE message created incorrect

appinfo2ip

entries and caused Via header translation failure.

(

Panorama virtual appliances only

) Fixed an issue where SNMP monitoring of ifSpeed reported the interface speed as 0 for interfaces other than eth0.

Fixed an issue where a Log Collector remained in an out-of-sync state after configuring an IP address (local or public) on an additional Ethernet interface.

Fixed an issue where the inner GTP-U flows were installed using incorrect zones, which led to traffic issues when the firewall was in line for the S1-U interface.

Fixed an issue in Panorama where the template stack drop-down was missing templates when using access domain.

Fixed an issue where IP tags were not evaluated in the filter evaluation criteria when Dynamic Address Groups were configured.

Fixed an issue where Panorama commits failed due to a process (useridd) exceeding the maximum number of file descriptors while a large number of firewalls were connecting to Panorama for User-ID redistribution.

Fixed an issue where

AdminStatus

for HA1 and High Speed Chassis Interconnect (HSCI) interfaces were incorrectly reported.

Fixed an intermittent issue on the firewall where H.225 VOIP signaling packets dropped.

Fixed an intermittent issue where user-to-IP address mappings were not redistributed to client firewalls.

Fixed an issue where an HA configuration went out of sync when the HA sync job was queued and processed during an ongoing content installation job on the passive firewall.

Fixed a rare issue where the

show ntp

CLI command showed the status as

rejected

even when the NTP was synced with at least one NTP server.

Fixed an intermittent issue where a Security policy with

Send ICMP Unreachable

enabled for certain drop or reset sessions caused a process (all-pktproc) to restart.

Added an enhancement to improve handling for firewall management web interface sessions that timeout so that the message

Your session has expired

does not display. Now, the web interface will present a timeout page that presents a button to redirect back to the login page.

Fixed an issue where a configuration push from Panorama to the firewall showed the

Commit All

status as complete even though the job was still in process.

Fixed an issue where templates on the secondary Panorama appliance were out of sync with the primary Panorama appliance due to an empty content-preview node.

Fixed a memory leak issue where virtual memory used by the SNMP process started to slowly increase when the request was sent with a

request-id

of 0.

(

PA-800 Series firewalls only

) Fixed an issue that prevented ports 9-12 from being powered down by hardware after being requested to do so.

Fixed an issue on Panorama where the

show system logdb-quota

CLI command took more time than expected, which caused the configuration lock to time out.

Fixed an issue where certificate-based authentication with IKEv2 IPSec tunnels failed to establish with some third-party vendors.

A fix was made to address an information exposure vulnerability in Panorama that disclosed the token for the Panorama web interface administrator's session to a managed device when the Panorama administrator performed a context switch (CVE-2020-2022).

Fixed an issue where only the current day's logs were visible on Panorama.

Fixed an issue where the LDAP query took longer than expected to populate in the web interface.

Fixed an issue where the firewall returned incorrect information about the logging service status when the information was requested through the web interface.

Fixed an issue with the session browser search where using more than 32 characters caused an error.

Fixed an issue where the

Device Connectivity

status was grey on the firewall web interface even when the SSL session with the logging service was successful.

Added support for high powered module PAN-QSFP28-100GBASE-ER4.

Fixed an issue on Panorama where WildFire

®

cloud content download failed for content deployment to the WF-500 appliance.

Fixed an issue where template variable view failed to display some template variables when the

Device Priority

type variable was configured.

Fixed an issue where a process (devsrvr) stopped responding when the firewall received corrupted data from the PAN-DB cloud.

Fixed an issue where firewall policy configurations displayed

[object Object]

instead of the object names.

Fixed an issue where the static route path monitoring status was not viewable from the CLI or web interface and failed with the following error message:

failed to execute op command

.

Fixed an issue where removing a cipher from an SSL/TLS profile did not take effect if it was attached to the management interface.

Fixed an issue that caused a process (snmpd) to stop responding when sending a Simple Network Management Protocol (SNMP) GET request for

LcLogUsageTable

on a Panorama appliance in Management Only mode.