PAN-OS 9.0.13 Addressed Issues

PAN-OS® 9.0.13 addressed issues.
Issue ID
Description
PAN-163538
Fixed an issue on multi-dataplane platforms where traffic through Large Scale VPN (LSVPN) tunnels dropped with the error message
tunnel resolution failure
.
PAN-161121
Fixed an issue on the Panorama management server that caused invalid reference errors when attempting to delete an address object (
Objects > Addresses
) after removing the address object reference from an address group (
Objects > Address Groups
) resulting in you being unable to commit and push the configuration to managed firewalls.
PAN-160376
Fixed an issue where, for local administrators using an authentication profile, the
save filter
(
Monitor > Logs
) option was grayed out.
PAN-158650
Fixed an issue where several operations and processes stopped responding due to a deadlock issue between the CLI thread and the Terminal Server (TS) agent message processing the thread.
PAN-158328
Fixed an issue where the firewall stopped populating the multicast FIB table with OIL entries for multicast groups.
PAN-157049
(
PA-3200 Series firewalls only
) Fixed an issue where the firewall processed internal path monitoring packets more slowly than expected when processing large amounts of traffic, which caused the dataplane to restart.
PAN-156375
Fixed an issue where multiple all_pktoproc daemons restarted while processing HTTP/2 traffic in sw_offload.
PAN-155656
Fixed an issue where multicast RTP traffic triggered unicast RTP Control Protocol (RTCP), and the predict session failed to install, which blocked the parent RTP session from forwarding packets.
PAN-155517
Fixed an issue where a sudden increase in URL-cloud data challenged the cache capacity of the device.
PAN-155453
Fixed an issue in the configuration logs where the destination zone was masked by asterisks.
PAN-155294
Fixed an issue where iPad devices did not display Captive Portal multi-factor authentication (MFA) pages correctly when using Okta for push notifications.
PAN-154844
Fixed an issue where commits and autocommits repeatedly failed due to an out-of-memory (OOM) condition that disrupted the processes pan_task and devsrvr.
PAN-154812
Fixed a memory leak issue related to a process (configd) that was caused by log queries filtering by address.
PAN-154195
Fixed an issue where the firewall dropped VoIP traffic over IPSec with counters
flow_predict_convert_rtp_drop
and
flow_predict_convert_failed
.
PAN-153526
(
PA-7000 Series firewalls with 100G NPC (Network Processing Cards) only
) Fixed an issue where multicast groups were not set correctly, which caused ARP entries to display as
incomplete
and not update to correct values.
PAN-153294
Fixed an issue on the firewall where a GlobalProtect username authenticated via Kerberos was unnecessarily normalized to SAMAccountName format.
PAN-153261
Fixed an issue where not all fragmented packets were transmitted, which caused increased packet buffer usage.
PAN-152998
Fixed an issue where the User-ID process CPU usage remained high when a large number of TS agents were configured but only a few were connected.
PAN-152813
Fixed an issue with configuration memory leaks on Panorama that caused a process (configd) to restart.
PAN-152743
Fixed an issue where, when initial flows from both directions reached the firewall at the same time, a race condition occurred, which caused the firewall to display the following error message:
Duplicate flows detected while inserting <number>;, flow <number> with the same key
. The flow keys were identical due to the flows having the same SRC and DST ports.
PAN-152648
Fixed an issue where multiple all_pktproc processes stopped responding, which caused the dataplane to restart.
PAN-152253
Fixed an issue where the Destination NAT with
DNS Rewrite
enabled and set to
forward
did not work when the destination IP address was a single IP address instead of an IP range.
PAN-152103
Fixed a memory leak issue where a process (dnsproxy) did not properly release memory after use.
PAN-152098
Fixed an issue where the Policy Optimizer for some device groups showed incorrect data with a
-
character in the rule usage column.
PAN-151888
Fixed an issue where remote users were able to save log filters, which created a local user with the same username. With this fix, remote users cannot save a log filter.
PAN-151503
Fixed an intermittent issue where memory was not fully freed after a Panorama commitAll completion on the firewall.
PAN-151458
Fixed an issue on firewalls with high availability active/active configurations where GlobalProtect gateways timed out on-demand connections. This occurred because the
Inactivity Logout
timer did not reset.
PAN-150998
Fixed an issue where, when deploying a VM-Series firewall on VMware NSX that had been assigned a serial number that was used by a previously deactivated firewall, the new firewall was deployed in a deactivated or partially deactivated state.
PAN-150968
Fixed a rare issue with HTTP/2 decryption that caused packet header bytes to be corrupted, which caused packet drops.
PAN-150867
An enhancement was made to enable additional logging during kernel panic/oops that helps identify the cause.
PAN-150852
Fixed an issue with SMTP that occurred when attachment file names were longer than the allocated buffer. If the file name was longer than the buffer and Layer 7 inspection was enabled, the file was dropped, which caused session errors and an email to not be sent.
PAN-150798
(
PA-7000 Series firewalls only
) Fixed an issue where Network Processing Cards (NPC) took longer than expected or failed to boot.
PAN-150085
Fixed an issue where a process (configd) stopped responding which caused context switches to slow.
PAN-150008
Fixed an issue on the firewall where configuring auto-tagging based on URL filtering logs resulted in tags being added to source IP addresses and not matching the log forwarding filter match criteria.
PAN-149916, PAN-137122, and PAN-147254
jQuery was updated to 3.5.1.
PAN-149641
Fixed an issue where firewalls stopped refreshing IP tag information when configured with the
VM Information Sources
feature with a VMWare vCenter Server.
PAN-149339
Fixed an issue where, when an ECMP route changed, the flow table in the offload engine was not updated.
PAN-149283
Fixed an issue where editing device log forwarding in the collector group then filtering specific firewalls and adding new firewalls caused the old firewalls to disappear from the log forwarding preferences list.
PAN-148549
Fixed an issue where newly created interface management profiles were unable to be linked to subinterfaces.
PAN-147959
Fixed an issue where the last commit state did not change to
config sent to device
when pushing a device group configuration in the
Managed Device > Summary
page on Panorama.
PAN-147221
Improved QoS scheduling for Bidirectional Forwarding Detection (BFD) and BGP to address the internal handling of BGP and BFD packets under high resource constraints
PAN-146787
Fixed an issue where traffic incorrectly matched URL based authentication policies.
PAN-146236
Fixed an issue where the firewall was unable to properly create stream control transmission protocol (SCTP) sessions for multi-homed environments when multiple endpoints on the same SCTP associations sent INIT/INIT-ACK chunks during handshakes.
PAN-145733
Fixed an issue where the
SNMP INDEX
for
panZoneTable
on the
PAN-COMMON-MIB.my
file did not work as expected, which led to entries in
panZoneTable
not being uniquely identified.
PAN-145417
Debug commands were added to address an issue where the firewall connect to Cortex Data Lake due to the Online Certificate Status Protocol (OSCP) message missing the
nextUpdate
value in the OSCP response.
PAN-144975
Fixed an intermittent issue where a high traffic load in a Layer 2 deployment caused SNMP and Panorama health monitoring failures.
PAN-144887
(
Panorama virtual appliances in high availability (HA) configurations with VMware NSX plugin only
) Fixed an issue where dynamic address group updates and configuration pushes failed when new plugins were installed or uninstalled, or when a process (configd) was restarted or reinitialized.
PAN-144538
Fixed an issue where locally disabling the rule hit-count feature on Panorama caused a memory leak.
PAN-143485
Fixed a memory leak issue related to a process (devsrvr).
PAN-143332
Fixed an issue where deploying the Master Key to managed devices through Panorama using the
Deploy Master Key
feature (
Panorama > Managed Devices > Summary > Deploy Master Key
) failed.
PAN-141255
Removed the fields
device SN
and
device name
on Panorama from the predefined filter used in
Log Forwarding
and
Log Settings
.
PAN-140222
Fixed an issue where logs were not forwarded to the syslog server with the following error message:
profile: Syslog (1) is duplicated
.
PAN-137233
Fixed an issue where authenticating to GlobalProtect via expired SAML requests (waiting more than 10 minutes) still sent authentication to the SAML server. This invalidated the previously connected gateway and connected users to the second best gateway.
PAN-136073
Fixed an issue where the High Speed Chassis Interconnect (HSCI) port flapped continuously after an upgrade or reboot.
PAN-134799
Fixed an issue where packets of the same session were forwarded through a different member of an Aggregate Ethernet (AE) group once the session was offloaded.
PAN-134461
Fixed an issue where an admin user authenticated to Panorama with RADIUS and assigned a Device Group and Template Admin role using access domains was unable to add a managed firewall to Panorama and received the following error message:
Import failed user <username> does not exist
.
PAN-131474
A fix was made to address a vulnerability related to information exposure through log files in PAN-OS where the connection details for a scheduled configuration export were logged in system logs (CVE-2021-3037).
PAN-129927
(
VM-Series firewalls only
) Fixed an issue where firewalls with Layer 3 subinterfaces reset Class of Service (CoS) bits in 802.1q.
PAN-126815
Fixed an issue where the GlobalProtect gateway and portal failed to generate authentication cookies for pre-logon and user-logon events due to a failure to populate the
remote_addr
field in the authentication cookie.
PAN-124579
Fixed an issue where a process (all_task_3) restarted, which caused the tunnels to reset.
PAN-123638
Fixed an issue where DHCP was not configurable from Panorama templates in single virtual system (vsys) mode.
PAN-123041
Fixed an issue where commits failed due to OOM events caused by the PAN-DB database.
PAN-120013
Fixed an issue where secure communication settings were incorrectly synchronized between Panorama appliances in an HA configuration.
PAN-119161
(
PA-7000 Series firewalls only
) Fixed an issue where firewalls were unable to start up an NPC due to a process (brdagent) restarting repeatedly.
PAN-79640
Fixed an issue where the firewall intermittently logged incorrect actions for WildFire submissions and reports.

Recommended For You