A fix was made to address a remote code
execution vulnerability in Elasticsearch included with Panorama
management servers known as Log4Shell (CVE-2021-44228).
Fixed an issue where downloading Dynamic
Updates files failed when connected to the static update server
Fixed an issue on firewalls in high availability
(HA) configurations where a process (brdagent) stopped
responding on a suspended active peer, which caused the suspended
firewall to continue sending traffic.
Fixed an issue where SNMP readings reported
as 0 for dataplane interface packet statistics for Amazon Web Services
(AWS) m5n.4xlarge instance types. This issue occurred because the
physical port counters read from MAC addresses were reported as
Fixed an issue where the Elasticsearch process
continuously restarted if zero-length files were present.
Fixed an issue on an HA active/passive configuration
where old (GPRS tunneling protocol) GTP-U tunnel sessions did not
sync to the passive firewall during some upgrades, such as upgrading
from a PAN-OS 8.1 release version to a 9.0 release version or upgrading
from a 9.0 release version to a 9.1 release version.
Fixed an issue on firewalls in HA configuration
where HA-2 links continuously flapped on HSCI interfaces after upgrading
to PAN-OS 8.1.19.
Fixed an issue where NetFlow traffic triggered
a packet buffer leak.
Fixed an issue in an HA configuration where,
when one firewall was active and its peer was in a suspended state,
the suspended firewall continued to send traffic, which triggered
the detection of duplicate MAC addresses.
Fixed an issue where, when a partial
failed, a process (configd) stopped responding.
Fixed an issue with Content and Threat Detection
where traffic patterns created a bus error, which caused the all_pktproc process
to stop responding and the dataplane to restart.
PA-3000 Series firewalls only
Fixed an issue where Server Message Block (SMB) sessions failed
due to resource unavailability.
Fixed an issue where SNMPV3 traps were not
processed by the
after a firewall reboot.
Fixed an issue when calculating the incremental
checksum after a post-NAT translation where the arguments to
the 32-bit integer.
Fixed an issue where the dataplane restarted
after configuring a
Fixed an issue where intermittent VXLAN
packet drops occurred if the TCI was not configured for inspecting
VXLAN traffic. This issue occurred when traffic was migrated from
a firewall running a PAN-OS version earlier than PAN-OS 9.0 to a
firewall running PAN-OS 9.0 or later.
Fixed an issue where SMB session were discarded
with the following error message:
ctd out of resource
Fixed an issue where, after a firewall reboot,
a commit or auto-commit operation failed with the following error
ID population failed
issue occurred because the Phase1 ID assignment failure did not
trigger an idmgr reset.
Fixed an issue on firewalls where URL category
responses were not processed by the dataplane in a timely fashion,
which adversely affected web-browsing traffic.
Fixed an intermittent issue where the firewall
dropped GTP-U traffic with the message
Fixed an issue where a process (genindex.sh) caused
high memory usage on the management plane. Due to the resulting
out-of-memory (OOM) condition, multiple processes stopped responding.
Fixed an issue where the firewall was unable
to detect end-user IP address spoofing on the GTP-U for a user data
session when using an IPv6 address.
Fixed an issue where hourly URL summary
log generation failed.
Firewalls in HA configurations only
Fixed an issue where connections to the SafeNet hardware security
module (HSM) were lost after upgrading to a new major PAN-OS release.
Fixed an issue where the output of the CLI
show running resource-monitor ingress-backlogs
an incorrect total utilization value.
A debug command was added to provide more
verbose output when troubleshooting packet processing on the firewall.
Fixed an intermittent issue where, when
the DNS Security cloud was not reachable, DNS responses had bad