PAN-OS 9.0.15 Addressed Issues
PAN-OS® 9.0.15 addressed issues.
A fix was made to address a remote code execution vulnerability in Elasticsearch included with Panorama management servers known as Log4Shell (CVE-2021-44228).
Fixed an issue where downloading Dynamic Updates files failed when connected to the static update server at
Fixed an issue on firewalls in high availability (HA) configurations where a process (brdagent) stopped responding on a suspended active peer, which caused the suspended firewall to continue sending traffic.
Fixed an issue where SNMP readings reported as 0 for dataplane interface packet statistics for Amazon Web Services (AWS) m5n.4xlarge instance types. This issue occurred because the physical port counters read from MAC addresses were reported as 0.
Fixed an issue where the Elasticsearch process continuously restarted if zero-length files were present.
Fixed an issue on an HA active/passive configuration where old (GPRS tunneling protocol) GTP-U tunnel sessions did not sync to the passive firewall during some upgrades, such as upgrading from a PAN-OS 8.1 release version to a 9.0 release version or upgrading from a 9.0 release version to a 9.1 release version.
Fixed an issue on firewalls in HA configuration where HA-2 links continuously flapped on HSCI interfaces after upgrading to PAN-OS 8.1.19.
Fixed an issue where NetFlow traffic triggered a packet buffer leak.
Fixed an issue in an HA configuration where, when one firewall was active and its peer was in a suspended state, the suspended firewall continued to send traffic, which triggered the detection of duplicate MAC addresses.
Fixed an issue where, when a partial
Preview Changejob failed, a process (configd) stopped responding.
Fixed an issue with Content and Threat Detection where traffic patterns created a bus error, which caused the all_pktproc process to stop responding and the dataplane to restart.
PA-3000 Series firewalls only) Fixed an issue where Server Message Block (SMB) sessions failed due to resource unavailability.
Fixed an issue where SNMPV3 traps were not processed by the
snmptrapreceiver after a firewall reboot.
Fixed an issue when calculating the incremental checksum after a post-NAT translation where the arguments to
pan_in_cksm32_diffoverflowed the 32-bit integer.
Fixed an issue where the dataplane restarted after configuring a
Fixed an issue where intermittent VXLAN packet drops occurred if the TCI was not configured for inspecting VXLAN traffic. This issue occurred when traffic was migrated from a firewall running a PAN-OS version earlier than PAN-OS 9.0 to a firewall running PAN-OS 9.0 or later.
Fixed an issue where SMB session were discarded with the following error message:
ctd out of resource.
Fixed an issue where, after a firewall reboot, a commit or auto-commit operation failed with the following error message:
ID population failed. This issue occurred because the Phase1 ID assignment failure did not trigger an idmgr reset.
Fixed an issue on firewalls where URL category responses were not processed by the dataplane in a timely fashion, which adversely affected web-browsing traffic.
Fixed an intermittent issue where the firewall dropped GTP-U traffic with the message
Fixed an issue where a process (genindex.sh) caused high memory usage on the management plane. Due to the resulting out-of-memory (OOM) condition, multiple processes stopped responding.
Fixed an issue where the firewall was unable to detect end-user IP address spoofing on the GTP-U for a user data session when using an IPv6 address.
Fixed an issue where hourly URL summary log generation failed.
Firewalls in HA configurations only) Fixed an issue where connections to the SafeNet hardware security module (HSM) were lost after upgrading to a new major PAN-OS release.
Fixed an issue where the output of the CLI command
show running resource-monitor ingress-backlogsdisplayed an incorrect total utilization value.
A debug command was added to provide more verbose output when troubleshooting packet processing on the firewall.
Fixed an intermittent issue where, when the DNS Security cloud was not reachable, DNS responses had bad UDP checksums.
Recommended For You
Recommended videos not found.