PAN-OS 9.0.13 Addressed Issues

PAN-OS® 9.0.13 addressed issues.
Issue ID
Fixed an issue on multi-dataplane platforms where traffic through Large Scale VPN (LSVPN) tunnels dropped with the error message
tunnel resolution failure
Fixed an issue on the Panorama management server that caused invalid reference errors when attempting to delete an address object (
Objects > Addresses
) after removing the address object reference from an address group (
Objects > Address Groups
) resulting in you being unable to commit and push the configuration to managed firewalls.
Fixed an issue where, for local administrators using an authentication profile, the
save filter
Monitor > Logs
) option was grayed out.
Fixed an issue where several operations and processes stopped responding due to a deadlock issue between the CLI thread and the Terminal Server (TS) agent message processing the thread.
Fixed an issue where the firewall stopped populating the multicast FIB table with OIL entries for multicast groups.
PA-3200 Series firewalls only
) Fixed an issue where the firewall processed internal path monitoring packets more slowly than expected when processing large amounts of traffic, which caused the dataplane to restart.
Fixed an issue where multiple all_pktoproc daemons restarted while processing HTTP/2 traffic in sw_offload.
Fixed an issue where multicast RTP traffic triggered unicast RTP Control Protocol (RTCP), and the predict session failed to install, which blocked the parent RTP session from forwarding packets.
Fixed an issue where a sudden increase in URL-cloud data challenged the cache capacity of the device.
Fixed an issue in the configuration logs where the destination zone was masked by asterisks.
Fixed an issue where iPad devices did not display Captive Portal multi-factor authentication (MFA) pages correctly when using Okta for push notifications.
Fixed an issue where commits and autocommits repeatedly failed due to an out-of-memory (OOM) condition that disrupted the processes pan_task and devsrvr.
Fixed a memory leak issue related to a process (configd) that was caused by log queries filtering by address.
Fixed an issue where the firewall dropped VoIP traffic over IPSec with counters
PA-7000 Series firewalls with 100G NPC (Network Processing Cards) only
) Fixed an issue where multicast groups were not set correctly, which caused ARP entries to display as
and not update to correct values.
Fixed an issue on the firewall where a GlobalProtect username authenticated via Kerberos was unnecessarily normalized to SAMAccountName format.
Fixed an issue where not all fragmented packets were transmitted, which caused increased packet buffer usage.
Fixed an issue where the User-ID process CPU usage remained high when a large number of TS agents were configured but only a few were connected.
Fixed an issue with configuration memory leaks on Panorama that caused a process (configd) to restart.
Fixed an issue where, when initial flows from both directions reached the firewall at the same time, a race condition occurred, which caused the firewall to display the following error message:
Duplicate flows detected while inserting <number>;, flow <number> with the same key
. The flow keys were identical due to the flows having the same SRC and DST ports.
Fixed an issue where multiple all_pktproc processes stopped responding, which caused the dataplane to restart.
Fixed an issue where the Destination NAT with
DNS Rewrite
enabled and set to
did not work when the destination IP address was a single IP address instead of an IP range.
Fixed a memory leak issue where a process (dnsproxy) did not properly release memory after use.
Fixed an issue where the Policy Optimizer for some device groups showed incorrect data with a
character in the rule usage column.
Fixed an issue where remote users were able to save log filters, which created a local user with the same username. With this fix, remote users cannot save a log filter.
Fixed an intermittent issue where memory was not fully freed after a Panorama commitAll completion on the firewall.
Fixed an issue on firewalls with high availability active/active configurations where GlobalProtect gateways timed out on-demand connections. This occurred because the
Inactivity Logout
timer did not reset.
Fixed an issue where, when deploying a VM-Series firewall on VMware NSX that had been assigned a serial number that was used by a previously deactivated firewall, the new firewall was deployed in a deactivated or partially deactivated state.
Fixed a rare issue with HTTP/2 decryption that caused packet header bytes to be corrupted, which caused packet drops.
An enhancement was made to enable additional logging during kernel panic/oops that helps identify the cause.
Fixed an issue with SMTP that occurred when attachment file names were longer than the allocated buffer. If the file name was longer than the buffer and Layer 7 inspection was enabled, the file was dropped, which caused session errors and an email to not be sent.
PA-7000 Series firewalls only
) Fixed an issue where Network Processing Cards (NPC) took longer than expected or failed to boot.
Fixed an issue where a process (configd) stopped responding which caused context switches to slow.
Fixed an issue on the firewall where configuring auto-tagging based on URL filtering logs resulted in tags being added to source IP addresses and not matching the log forwarding filter match criteria.
PAN-149916, PAN-137122, and PAN-147254
jQuery was updated to 3.5.1.
Fixed an issue where firewalls stopped refreshing IP tag information when configured with the
VM Information Sources
feature with a VMWare vCenter Server.
Fixed an issue where, when an ECMP route changed, the flow table in the offload engine was not updated.
Fixed an issue where editing device log forwarding in the collector group then filtering specific firewalls and adding new firewalls caused the old firewalls to disappear from the log forwarding preferences list.
Fixed an issue where newly created interface management profiles were unable to be linked to subinterfaces.
Fixed an issue where the last commit state did not change to
config sent to device
when pushing a device group configuration in the
Managed Device > Summary
page on Panorama.
Improved QoS scheduling for Bidirectional Forwarding Detection (BFD) and BGP to address the internal handling of BGP and BFD packets under high resource constraints
Fixed an issue where traffic incorrectly matched URL based authentication policies.
Fixed an issue where the firewall was unable to properly create stream control transmission protocol (SCTP) sessions for multi-homed environments when multiple endpoints on the same SCTP associations sent INIT/INIT-ACK chunks during handshakes.
Fixed an issue where the
on the
file did not work as expected, which led to entries in
not being uniquely identified.
Debug commands were added to address an issue where the firewall connect to Cortex Data Lake due to the Online Certificate Status Protocol (OSCP) message missing the
value in the OSCP response.
Fixed an intermittent issue where a high traffic load in a Layer 2 deployment caused SNMP and Panorama health monitoring failures.
Panorama virtual appliances in high availability (HA) configurations with VMware NSX plugin only
) Fixed an issue where dynamic address group updates and configuration pushes failed when new plugins were installed or uninstalled, or when a process (configd) was restarted or reinitialized.
Fixed an issue where locally disabling the rule hit-count feature on Panorama caused a memory leak.
Fixed a memory leak issue related to a process (devsrvr).
Fixed an issue where deploying the Master Key to managed devices through Panorama using the
Deploy Master Key
feature (
Panorama > Managed Devices > Summary > Deploy Master Key
) failed.
Removed the fields
device SN
device name
on Panorama from the predefined filter used in
Log Forwarding
Log Settings
Fixed an issue where logs were not forwarded to the syslog server with the following error message:
profile: Syslog (1) is duplicated
Fixed an issue where authenticating to GlobalProtect via expired SAML requests (waiting more than 10 minutes) still sent authentication to the SAML server. This invalidated the previously connected gateway and connected users to the second best gateway.
Fixed an issue where the High Speed Chassis Interconnect (HSCI) port flapped continuously after an upgrade or reboot.
Fixed an issue where packets of the same session were forwarded through a different member of an Aggregate Ethernet (AE) group once the session was offloaded.
Fixed an issue where an admin user authenticated to Panorama with RADIUS and assigned a Device Group and Template Admin role using access domains was unable to add a managed firewall to Panorama and received the following error message:
Import failed user <username> does not exist
A fix was made to address a vulnerability related to information exposure through log files in PAN-OS where the connection details for a scheduled configuration export were logged in system logs (CVE-2021-3037).
VM-Series firewalls only
) Fixed an issue where firewalls with Layer 3 subinterfaces reset Class of Service (CoS) bits in 802.1q.
Fixed an issue where the GlobalProtect gateway and portal failed to generate authentication cookies for pre-logon and user-logon events due to a failure to populate the
field in the authentication cookie.
Fixed an issue where a process (all_task_3) restarted, which caused the tunnels to reset.
Fixed an issue where DHCP was not configurable from Panorama templates in single virtual system (vsys) mode.
Fixed an issue where commits failed due to OOM events caused by the PAN-DB database.
Fixed an issue where secure communication settings were incorrectly synchronized between Panorama appliances in an HA configuration.
PA-7000 Series firewalls only
) Fixed an issue where firewalls were unable to start up an NPC due to a process (brdagent) restarting repeatedly.
Fixed an issue where the firewall intermittently logged incorrect actions for WildFire submissions and reports.

Recommended For You