PAN-OS 9.0.12 Addressed Issues
Focus
Focus

PAN-OS 9.0.12 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 9.0.12 Addressed Issues

PAN-OS® 9.0.12 addressed issues.
Issue ID
Description
PAN-158691
Fixed an issue with GPRS tunneling protocol (GTP) event packet capture (pcap) where enabling
Packet Capture
did not work.
PAN-155053
Fixed an issue where user information in the Clientless VPN wasn't handled properly in high availability (HA) configurations, which resulted in the firewall being unable to create more user sessions.
PAN-154323
Fixed an issue in Panorama where frequent API requests caused the Panorama web interface to become unresponsive. This issue occurred because the web interface automatically refreshed after each request.
PAN-154114
A fix was made to address a vulnerability related to information exposure through log files in PAN-OS where secrets in PAN-OS XML API requests were logged in cleartext in the web server logs when the API was used incorrectly (CVE-2021-3036).
PAN-153440
Fixed an issue where firewalls repeatedly connected and disconnected to Cortex Data Lake due to a probing issue.
PAN-153107
Fixed an issue where a dataplane process stopped responding while processing fragmented traffic on GTP-U tunnels.
PAN-152912
Fixed an issue where a content update caused the Panorama XML cache build to fail. This resulted references of the used objects on Panorama being removed, which caused commits on the managed firewalls to fail.
PAN-152746
Fixed an issue where the firewall dropped GTPv2-x Create Session Response packets with the following error message:
bad port 84b
.
PAN-152440
Fixed an issue where the syntax on GlobalProtect DNS suffixes was not validated.
PAN-152282
Fixed an issue where platforms using AHO for content and application inspection ran into dataplane process (all_pktproc) restarts.
PAN-151486
Fixed an issue where user activity reports failed to run when the firewall was in FIPS mode.
PAN-151483
Fixed an issue where, when an out-of-order stream of TCP packets was subjected to HTTP header insertion, the packets were duplicated.
PAN-151149
Fixed an issue where certificates, custom logos, and Security Assertion Markup Language (SAML) metadata were unable to be uploaded from the web interface using a Chromium-based browser running version 84 or later.
PAN-149915
Fixed an issue where a Panorama virtual appliance was unable to manage more than 2,500 firewalls when 28 or more CPU cores were available.
PAN-149696
Fixed an intermittent issue where the GlobalProtect portal stopped responding with a 502 Bad Gateway response page when trying to access the portal URL using a web browser.
PAN-149645
Fixed an issue in a virtual wire deployment configured with
Link State Pass Through
enabled where, when one member port went down, the peer port took longer than expected to change the status to
Down
.
PAN-149547
Fixed an issue where, after a change in Security policies, traffic logs for inner GTP-U sessions did not show
IMSI
or
IMEI
fields following a commit.
PAN-149377
A fix was made to address a vulnerability regarding information exposure through log files in PAN-OS that made it possible for configuration secrets for HTTP, email, and SNMP trap v3 log forwarding server profiles to be logged to the logrcvr.log system log (CVE-2021-3032).
PAN-149001
Fixed an issue where, when using certificate profiles configured under specific virtual systems (vsys), the GlobalProtect
Machine Certification Check
and
HIP Object
fail during a client certificate check.
PAN-148818
Fixed an issue where the decryption profile was configured without the
Block sessions with expired certificates
option, but the firewall still blocked websites that were signed by an Expired AddTrust Root CA (certificate authority).
PAN-148767
Fixed an issue where the firewall incorrectly created GTP-U sessions from Create Session Request and Create Session Response packets.
PAN-148441
Fixed an issue where required processes were not automatically restarted on the Log Processing Card (LPC) or the Log Forwarding Card (LFC).
PAN-147847
Fixed an issue where traffic didn't hit the intended Security policy if SSL forward proxy was enabled and service was set to
application-default
.
PAN-147796
Fixed an issue on the firewalls with an IPsec/Encapuslating Security Payload (ESP) traffic with GlobalProtect gateway configuration where multiple processes (flow_ctrl, pktlog_forwarding, and all_task) restarted, which caused the device to reboot.
PAN-147529
Fixed an issue where
ValidateAll
jobs were incorrectly logged as
CommitAll
in the configuration log of the firewall.
PAN-147385
Fixed an issue where firewall buffers were depleted with GTP traffic due to the mishandling of conflicting sessions.
PAN-147305
Fixed an issue where a process (useridd) stopped responding to requests.
PAN-147298
(
PA-7050 and PA-7080 firewalls with 100G NPC only
) Fixed an issue where jumbo frames brought down the Network Processing Card (NPC) when traffic traversed the firewall at a high rate.
PAN-147036
Fixed an issue where TCP connections got stuck between the firewall and the Log Collector if some packets were dropped on the path between the two appliances.
PAN-146763
Fixed a configuration issue on a multi-vsys where the configured interface service route for email schedule reports was not being used.
PAN-146215
(
FPP offload based hardware model only
) Fixed an issue where, when UDP traffic that was received on a tunnel had back-to-back client-to-server packets, random packets dropped.
PAN-145996
An update was made to change the following system log message:
DO NOT CHOOSE WMI in Active-Directory FOR YOUR USE CASE IF SEE THIS LOG AGAIN IN <number> SECONDS
to
Please change server monitor(log server) Transport Protocol from WMI to WinRM for better performance
. This update also reduces the severity from
High
to
Informational
.
PAN-144410
Debug logs were added to detect an out-of-memory (OOM) condition that caused the management server to restart.
PAN-143090
Fixed an issue where the firewall silently dropped TCP out-of-order packets.
PAN-142867
Fixed an issue where service session timeout override was not used for custom applications and the default value was chosen instead.
PAN-142604
Fixed an issue where virtual memory of a process (configd) continuously increased until it stopped responding.
PAN-142548
Fixed an memory leak issue in a process (configd) that caused the firewall to be inaccessible.
PAN-140669
Fixed a memory leak issue caused by a process (mgmtsrvr).
PAN-140492
Fixed an issue on the firewall where, with SSL Forward Proxy feature enabled, random file downloads over a decrypted session would stall or hang in the middle.
PAN-139661
Fixed an issue that led to exhaustion of memory, which resulted in path monitoring failures when Cortex Data Lake was configured.
PAN-139007
Fixed an issue where
URL Filtering
logs were misaligned when exported from the firewall due to the presence of a comma in the
User-Agent
field of the logs.
PAN-138573
Fixed an issue where the keyword
[Disabled]
was missing from the disabled policies exported in CSV/PDF format.
PAN-137741
Fixed an issue where the data for a botnet report was deleted before the botnet report was completed.
PAN-137375
Fixed an issue where a process (ikmgr) stopped responding during IKE SA negotiations when Online Certificate Status Protocol (OCSP) was enabled.
PAN-136652
(
PA-3200 Series and PA-800 Series firewalls only
) Fixed an issue where you were unable to disable auto negotiation on small form-factor pluggable (SFP) ports.
PAN-136607
Fixed an issue with GTP event packet capture (pcap) where enabling
Packet Capture
did not work.
PAN-134909
Fixed an issue where region information was not called due to a mismatch in uppercase and lowercase letters in the region name.
PAN-134840
Fixed an issue where pre-logon users failed authentication if the cookie was expired, instead of using certificate authentication.
PAN-134467
Fixed an issue with the GlobalProtect portal where pre-logon authentication failed when agent Config Selection Critiera was configured on the firewall.
PAN-134251
(
PA-7000 Series firewalls only
) Fixed an issue where unplugging cables from Quad Small Form-factor Pluggable (QSFP) interfaces on 100G NPC causes path monitoring failures.
PAN-133885
Fixed an issue where DNS proxy failed due to incorrect mapping of the DNS transaction ID.
PAN-132055
Fixed an issue where a process (mgmtsrvr) was unresponsive when the number of active file descriptors was greater than 1024.
PAN-129234
Fixed an issue where syslog connection failures were frequently reported in system logs.
PAN-124681
A fix was made to address a vulnerability where Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls were not cleared before the data frame was created (CVE-2021-3031).
PAN-121604
(
PA-3200 Series firewalls only
) Fixed an issue where a process (brdagent) stopped responding during firewall bootup.
PAN-110720
Fixed an issue where a high volume of traffic over SSL VPN caused a process (all_pktproc) to unexpectedly stop responding.
PAN-109877
Fixed an issue where BGP flapped continuously with Jumbo Frames enabled on the firewall.
PAN-100489
Fixed an issue where the
Group found
flag was set to
NO
on User-ID logs on the web interface, even when the user belonged to a group retrieved from the Active Directory (AD) server.

Recommended For You