PAN-OS 9.0.13 Addressed Issues
PAN-OS® 9.0.13 addressed issues.
Fixed an issue on multi-dataplane platforms where traffic through Large Scale VPN (LSVPN) tunnels dropped with the error message
tunnel resolution failure.
Fixed an issue on the Panorama management server that caused invalid reference errors when attempting to delete an address object (
Objects > Addresses) after removing the address object reference from an address group (
Objects > Address Groups) resulting in you being unable to commit and push the configuration to managed firewalls.
Fixed an issue where, for local administrators using an authentication profile, the
Monitor > Logs) option was grayed out.
Fixed an issue where several operations and processes stopped responding due to a deadlock issue between the CLI thread and the Terminal Server (TS) agent message processing the thread.
Fixed an issue where the firewall stopped populating the multicast FIB table with OIL entries for multicast groups.
PA-3200 Series firewalls only) Fixed an issue where the firewall processed internal path monitoring packets more slowly than expected when processing large amounts of traffic, which caused the dataplane to restart.
Fixed an issue where multicast RTP traffic triggered unicast RTP Control Protocol (RTCP), and the predict session failed to install, which blocked the parent RTP session from forwarding packets.
Fixed an issue where a sudden increase in URL-cloud data challenged the cache capacity of the device.
Fixed an issue in the configuration logs where the destination zone was masked by asterisks.
Fixed an issue where iPad devices did not display Captive Portal multi-factor authentication (MFA) pages correctly when using Okta for push notifications.
Fixed an issue where the firewall dropped VoIP traffic over IPSec with counters
PA-7000 Series firewalls with 100G NPC (Network Processing Cards) only) Fixed an issue where multicast groups were not set correctly, which caused ARP entries to display as
incompleteand not update to correct values.
Fixed an issue on the firewall where a GlobalProtect username authenticated via Kerberos was unnecessarily normalized to SAMAccountName format.
Fixed an issue where not all fragmented packets were transmitted, which caused increased packet buffer usage.
Fixed an issue where the User-ID process CPU usage remained high when a large number of TS agents were configured but only a few were connected.
Fixed an issue where, when initial flows from both directions reached the firewall at the same time, a race condition occurred, which caused the firewall to display the following error message:
Duplicate flows detected while inserting <number>;, flow <number> with the same key. The flow keys were identical due to the flows having the same SRC and DST ports.
Fixed an issue where the Destination NAT with
DNS Rewriteenabled and set to
forwarddid not work when the destination IP address was a single IP address instead of an IP range.
Fixed an issue where the Policy Optimizer for some device groups showed incorrect data with a
-character in the rule usage column.
Fixed an issue where remote users were able to save log filters, which created a local user with the same username. With this fix, remote users cannot save a log filter.
Fixed an intermittent issue where memory was not fully freed after a Panorama commitAll completion on the firewall.
Fixed an issue on firewalls with high availability active/active configurations where GlobalProtect gateways timed out on-demand connections. This occurred because the
Inactivity Logouttimer did not reset.
Fixed an issue where, when deploying a VM-Series firewall on VMware NSX that had been assigned a serial number that was used by a previously deactivated firewall, the new firewall was deployed in a deactivated or partially deactivated state.
Fixed a rare issue with HTTP/2 decryption that caused packet header bytes to be corrupted, which caused packet drops.
An enhancement was made to enable additional logging during kernel panic/oops that helps identify the cause.
Fixed an issue with SMTP that occurred when attachment file names were longer than the allocated buffer. If the file name was longer than the buffer and Layer 7 inspection was enabled, the file was dropped, which caused session errors and an email to not be sent.
PA-7000 Series firewalls only) Fixed an issue where Network Processing Cards (NPC) took longer than expected or failed to boot.
Fixed an issue on the firewall where configuring auto-tagging based on URL filtering logs resulted in tags being added to source IP addresses and not matching the log forwarding filter match criteria.
Fixed an issue where firewalls stopped refreshing IP tag information when configured with the
VM Information Sourcesfeature with a VMWare vCenter Server.
Fixed an issue where, when an ECMP route changed, the flow table in the offload engine was not updated.
Fixed an issue where editing device log forwarding in the collector group then filtering specific firewalls and adding new firewalls caused the old firewalls to disappear from the log forwarding preferences list.
Fixed an issue where newly created interface management profiles were unable to be linked to subinterfaces.
Fixed an issue where the last commit state did not change to
config sent to devicewhen pushing a device group configuration in the
Managed Device > Summarypage on Panorama.
jQuery was updated to 3.5.1.
Improved QoS scheduling for Bidirectional Forwarding Detection (BFD) and BGP to address the internal handling of BGP and BFD packets under high resource constraints
Fixed an issue where traffic incorrectly matched URL based authentication policies.
Fixed an issue where the firewall was unable to properly create stream control transmission protocol (SCTP) sessions for multi-homed environments when multiple endpoints on the same SCTP associations sent INIT/INIT-ACK chunks during handshakes.
Fixed an issue where the
PAN-COMMON-MIB.myfile did not work as expected, which led to entries in
panZoneTablenot being uniquely identified.
Debug commands were added to address an issue where the firewall connect to Cortex Data Lake due to the Online Certificate Status Protocol (OSCP) message missing the
nextUpdatevalue in the OSCP response.
Fixed an intermittent issue where a high traffic load in a Layer 2 deployment caused SNMP and Panorama health monitoring failures.
Panorama virtual appliances in high availability (HA) configurations with VMware NSX plugin only) Fixed an issue where dynamic address group updates and configuration pushes failed when new plugins were installed or uninstalled, or when a process (configd) was restarted or reinitialized.
Fixed an issue where locally disabling the rule hit-count feature on Panorama caused a memory leak.
Fixed an issue where deploying the Master Key to managed devices through Panorama using the
Deploy Master Keyfeature (
Panorama > Managed Devices > Summary > Deploy Master Key) failed.
Removed the fields
device nameon Panorama from the predefined filter used in
Fixed an issue where logs were not forwarded to the syslog server with the following error message:
profile: Syslog (1) is duplicated.
Fixed an issue where authenticating to GlobalProtect via expired SAML requests (waiting more than 10 minutes) still sent authentication to the SAML server. This invalidated the previously connected gateway and connected users to the second best gateway.
Fixed an issue where the High Speed Chassis Interconnect (HSCI) port flapped continuously after an upgrade or reboot.
Fixed an issue where packets of the same session were forwarded through a different member of an Aggregate Ethernet (AE) group once the session was offloaded.
Fixed an issue where an admin user authenticated to Panorama with RADIUS and assigned a Device Group and Template Admin role using access domains was unable to add a managed firewall to Panorama and received the following error message:
Import failed user <username> does not exist.
A fix was made to address a vulnerability related to information exposure through log files in PAN-OS where the connection details for a scheduled configuration export were logged in system logs (CVE-2021-3037).
VM-Series firewalls only) Fixed an issue where firewalls with Layer 3 subinterfaces reset Class of Service (CoS) bits in 802.1q.
Fixed an issue where the GlobalProtect gateway and portal failed to generate authentication cookies for pre-logon and user-logon events due to a failure to populate the
remote_addrfield in the authentication cookie.
Fixed an issue where DHCP was not configurable from Panorama templates in single virtual system (vsys) mode.
Fixed an issue where commits failed due to OOM events caused by the PAN-DB database.
Fixed an issue where secure communication settings were incorrectly synchronized between Panorama appliances in an HA configuration.
Fixed an issue where the firewall intermittently logged incorrect actions for WildFire submissions and reports.
Recommended For You
Recommended videos not found.