PAN-OS 9.0.3 Addressed Issues
Focus
Focus

PAN-OS 9.0.3 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 9.0.3 Addressed Issues

PAN-OS® 9.0.3 addressed issues.
Issue ID
Description
WF500-4995
Fixed an issue on Panorama™ M-Series and WF-500 appliances where administrators were unable to run the debugsoftware disk-usage aggressive-cleaning enable CLI command and resulted in the following error message: Server error:Failed to execute op command.
PAN-118949
Fixed an issue where after you changed the filter configuration in the user.src notin 'cns\proxy full profile, the firewall displayed the following error message: Unknown user group cns\Proxy Full.
PAN-118640
Fixed an issue where the GTP-U session did not match the correct policy, which caused the IMSI and IMEI not to display in the inner session traffic and threat logs.
PAN-118525
(PA-5250, PA-5260, PA-5280, and PA-7000 Series firewalls only) Fixed an issue where the QSFP28 port did not come up with the TR-FC13L-N00 version of the PAN-QSFP28-100GBASE-LR4 optical transceiver on firewalls running a PAN-OS 9.0 release.
PAN-118008
(PA-3000 Series firewalls only) Fixed an intermittent issue where a low memory condition prevented decoders from loading, which led to traffic inspection issues related to the impacted decoder(s).
PAN-117424
Cortex Data Lake without Panorama—where we removed Panorama as a requirement to send logs to Cortex Data Lake—was introduced in PAN-OS® 9.0.2, and was not initially supported for PA-220 and PA-800 Series firewalls. This issue details a change we've made in PAN-OS 9.0.3 to support this feature across all firewall platforms. Here’s how you can get started with Cortex Data Lake now.
PAN-117359
(Firewalls with an AutoFocus license only) Fixed an issue where AutoFocus™ threat intelligence did not display when hovering over source and destination addresses in the logs when you configure a service route or proxy.
PAN-117249
Fixed an issue where end users who don't have REST API authentication roles were able to list and edit configuration rules.
PAN-117149
Fixed an issue on firewalls configured with authentication policies where sessions matching an authentication policy did not generate traffic logs as defined in the security policy when sessions were redirected or denied.
PAN-116969
Fixed an issue where authentication failed when you configured a User Principal Name (UPN) and included a group in the profile.
PAN-116848
Fixed an issue where multiple device group administrators simultaneously enabled configuration locks caused a race condition.
PAN-116828
Fixed an issue on Panorama M-Series and virtual appliances where the management server and a process (configd) used higher than expected CPU and memory.
PAN-116069
(PA-200 firewalls only) Fixed a rare out-of-memory (OOM) condition.
PAN-116579
Fixed an issue where the firewall sent truncated URLs to the Captive Portal Redirect message when HTTPS traffic sent through a proxy server was subjected to decryption.
PAN-116188
Fixed an issue where communication between tunnel interfaces did not respond when you configured a generic routing encapsulation (GRE) tunnel.
PAN-116022
Fixed an issue where the NSX Manager passed a blank string to Panorama, which added a null entry into the configuration and caused commits to fail.
PAN-115930
Fixed an intermittent issue where after a configuration change, a commit caused the dataplane to stop responding.
PAN-115526
Fixed an issue where a dataplane process (all_pktproc) stopped responding due to a packet buffer protection feature.
PAN-115494
Fixed an issue where the /opt/pancfg/ partition became full due to a configuration preview operation not responding.
PAN-115415
Fixed an issue where a session created from a predict session went into DISCARD state.
PAN-115379
Fixed an issue where you were unable to create a custom log forwarding profile when you configured a filter with the "in" and "not in" configurations (ObjectsLog ForwardingAddAddFilterFilter Builder) and resulted in the following error message: Invalid filter policy-logging-cf-ent -> match-list -> ITS_url_logs -> filteris invalid.
PAN-115339
Fixed a rare issue where a commit caused the firewall to stop responding when you enabled flow debug and configured a NAT policy.
PAN-115035
Fixed a rare issue where Traffic logs, Threat logs and URL filtering logs stopped generating.
PAN-115012
Fixed an issue where a process (appweb) stopped responding, which caused the web interface to stop responding.
PAN-114867
Fixed an issue where GlobalProtect™ gateway client configuration generation failed when a matching rule existed.
PAN-114743
Fixed an issue on Panorama M-Series and virtual appliances where, after you upgraded the firewall to PAN-OS 8.1, commits failed when Panorama was configured to manage shared gateway objects for managed firewalls.
PAN-114695
Fixed an issue where a daemon (authd) stopped responding when you configured a GlobalProtect portal and gateway with Security Assertion Markup Language (SAML) authentication.
PAN-114642
Fixed an issue where firewall logs incorrectly included the end-user IP address in GTP message logs when you configured PAA IE with IPv4 and IPv6 dual stack in the Create Session Response message.
PAN-114607
Fixed an issue where all the log collectors did not get queued when you configured more than 32 collector groups.
PAN-114593
Fixed an issue where the setsystem setting layer4-checksum disable CLI command did not disable the Layer 4 checksum check as expected.
PAN-114577
Fixed an issue on Panorama M-Series and virtual appliances where you were unable to authenticate when the authentication profile contained a server profile that used the FQDN of the server.
PAN-114437
Fixed an issue on Panorama M-Series and virtual appliances where, after you upgraded the firewall from PAN-OS 8.0.8 to PAN-OS 8.1.4, commits took longer than expected when you configured the Device Group with large group hierarchies.
PAN-114435
Fixed an issue where multiple dataplanes stopped responding and caused traffic outages after you enabled IPSec tunnels.
PAN-114434
Fixed an issue where the firewall created incorrect predict sessions, which caused flow sessions to fail for applications.
PAN-114403
Fixed an issue on Panorama M-Series and virtual appliances where serial numbers for deployed firewalls did not display in the web interface with the exception of GlobalProtect cloud service firewalls.
PAN-114395
Fixed an issue on a VM-Series firewall where a process (all_task) stopped responding, which caused the firewall to reboot.
PAN-114275
Fixed an issue where the firewall dropped GTPv1 DELETE PDP response packets that had a termination endpoint ID (TEID) value of 0.
PAN-114181
Fixed an issue where the firewall incorrectly triggered Reverse Path Forwarding (RPF), which caused packet leaks.
PAN-113795
Fixed an issue on a firewall configured with GlobalProtect Clientless VPN where a process (all_pkts) stopped responding, which caused the dataplane to restart.
PAN-113775
Fixed an issue where the firewall dropped UpdatePDPContext reponse packets and displayed the following GTP log event: 122113.
PAN-113631
A security-related fix was made to address a use-after-free (UAF) vulnerability in the Linux kernel (PAN-SA-2019-0017 / CVE-2019-8912)
PAN-113614
Fixed an issue with a memory leak on Panorama appliances associated with commits that eventually caused an unexpected restart of the configuration (configd) process.
PAN-113340
(PA-200 firewalls only) Fixed an issue where the management plane (MP) memory was lower than expected, which caused the MP to restart.
PAN-113189
A security-related fix was made to correct log file string-conversion errors that caused parsing issues, which caused the User-ID™ (useridd) process to stop running.
PAN-113117
Fixed an issue on Panorama VM-Series firewalls where you were logged out of the web interface and had to log back in to push a device group and template configuration from a newly launched bootstrapped firewall.
PAN-113046
(PA-5200 Series firewalls only)Fixed an issue where a process (brdagent) stopped responding, which caused the management plane to stop responding.
PAN-112674
Fixed an issue where an escape ( “\” ) character was added to HTTP log s when a log contained a comma.
PAN-112577
Fixed an issue on a VM-Series firewall in an HA active/passive configuration where the HA1 port flapped and caused a split-brain condition.
PAN-112446
Fixed an issue where a predefined report (blocked credential post) generated reports using the incorrect query builder (flags has credential-builder), which caused the report to incorrectly display logs for alerts.
PAN-112293
Fixed an issue where the connection between the firewall and Log Collector flapped.
PAN-112167
Fixed an issue where IPv4 BGP routes were missing from the routing table and FIB after a failover event.
PAN-112106
Fixed an issue where the firewall was unable to add IPv6 loopback IP address ::1 to the external dynamic list and displayed the following error message: Invalid ips: ::1.
PAN-111976
Fixed an issue where you were unable to generate user activity reports when the username included a colon ( : ), ampersand ( & ), single parenthesis ( ' ) character.
PAN-111872
A security-related fix was made to address a command injection vulnerability (PAN-SA-2019-0018 / CVE-2019-1576).
PAN-111708
(PA-3200 Series firewalls only) Fixed a rare software issue that caused the dataplane to restart unexpectedly. To leverage this fix, you must run the debug dataplane set pow no-desched yes CLI command.
PAN-111380
(PA-5200, PA-3200, and PA-7000 Series firewalls with 100Gbps cards only) Fixed an issue where the show qos interface ae1 throughput 0 CLI command incorrectly displayed the active data stream only and QoS was not working as expected on the first subinterface.
PAN-111286
Fixed an issue where you were unable to generate a custom report (MonitorManage Custom Report<device-name>Report Setting).
PAN-110996
Fixed an issue where the dataplane stopped responding due to an incorrectly calculated offset when you configured Exclude video traffic from the tunnel (NetworkGlobalProtectGateways<gateway-name>AgentVideo Traffic).
PAN-110962
Fixed an issue where a process (all_pktproc) stopped responding when SSH decryption was enabled, which caused the dataplane to restart.
PAN-110883
Fixed an issue on a VM-Series firewall where all jobs did not execute and returned the following error message: Error- time out sending/receiving message.
PAN-110873
Fixed an issue where member interfaces of the aggregate interface did not display on web interface (PanoramaManaged DevicesHealthAll Devices<device-name>Interfaces).
PAN-110758
Fixed an issue on Panorama M-Series and virtual appliances where you were unable to configure the firewall to disable the portal log in page.
PAN-110638
Fixed an issue where you were unable to establish a GlobalProtect connection on IPv6 and displayed the following error message: Packet too big due to the firewall MTU value set lower than normal on the neighboring firewall.
PAN-110548
Fixed an intermittent issue where heartbeats failed on the management plane (MP), which caused the dataplane to stop responding and displayed the following error message: Dataplaneis down: controlplane exit failure.
PAN-110526
Fixed an issue where Captive Portal authentication required two log-in attempts when the authentication sequence was configured as an authentication profile.
PAN-110293
Fixed an issue where GTP-U traffic dropped when the GTP tunnel endpoint ID (TEID) was not updated correctly during a GTP-C update.
PAN-109966
Fixed an issue where the content update threshold downloaded and installed an older content version after you manually installed a newer content version.
PAN-109954
Fixed an issue where a commit failed with an error message: cluster is missing 'encryption' when HA Traffic Encryption (PanoramaManaged WildFire Clusters<appliance-name>Communication) was not configured and after upgrading from PAN-OS 8.0.12 to PAN-OS 8.1.4.
PAN-109944
Fixed an intermittent issue where a process (configd) restarted due to a race condition when generating custom reports.
PAN-109663
Fixed an intermittent issue where the firewall dropped packets when the policy rule was set to allow but denied the packets during a commit or high availability (HA) sync.
PAN-109837
Fixed an issue where a race condition occurred when a configuration push and NetFlow update occurred simultaneously, which caused the dataplane to restart.
PAN-109575
Fixed an issue where you were unable to configure more than one device certificate (DeviceCertificate ManagementCertificates<device certificate-name>) with Trusted Root CA.
PAN-109336
(PA-500 and PA-800 Series firewalls only) Fixed an issue where commits failed after you imported a device state from Panorama the template configuration referenced Bidirectional Forwarding Detection (BFD).
PAN-109186
Fixed an issue where the dataplane stopped responding and caused a failover event.
PAN-109101
Fixed an issue where you were unable to override IKE Gateway configurations (NetworkIKE Gateways<template-name>) in the template stack. However, with this fix, you still cannot override template stacks when you configure any value with none. Additionally, to override the Local Identification, select Authentication in the pop-up dialogue.
PAN-109024
Fixed an issue where, after you upgrade the firewall from PAN-OS 8.0 to PAN-OS 8.1, firewalls configured with the User-ID agent and group mapping incorrectly mapped users to groups.
PAN-108990
Fixed an intermittent issue on a firewall where configuring Force Template Values (NetworkInterfacesCommitPush to DevicesTemplates) deleted the zone assigned to an interface.
PAN-108878
Fixed an issue where host traffic ICMP packets larger than 9,180 bytes dropped when you configured a jumbo frame with a maximum MTU value of 9,216 bytes and with the DF option enabled.
PAN-108846
Fixed an issue where a higher than expected rate of tunnel resolution packets occurred due to an internal loop, which caused a spike in dataplane CPU usage for firewalls that support distributed tunnel ownership.
PAN-108785
Fixed an intermittent issue on a firewall in an HA active/passive configuration where a ping test stopped responding on Ethernet 1/1, 1/2, and 1/4 due to input errors on the corresponding switch port after a HA failover.
PAN-108715
Fixed an issue where the firewall did not update the dataplane DNS cache after the management plane (MP) DNS entries expired, which caused evasion signatures to erroneously trigger a Suspicious TLS/HTTP(S)Evasion Found event.
PAN-108164
Fixed an issue where a process (tund) caused the dataplane to restart during a commit.
PAN-107989
Fixed an issue where the Strict IP Address Check incorrectly triggered when you enabled ECMP (NetworkVirtual RoutersAddRouter settingsECMP).
PAN-107662
Fixed an issue on a firewall in an HA active/active configuration where client-bound DHCPv6 packets dropped when you configured the firewall as a DHCPv6 relay agent.
PAN-107370
Fixed an issue where IPv6 traffic throughput reduced more than expected after you updated a static ND entry (NetworkInterfaces<interface-name>AdvancedND Entries) by moving the interface to a different virtual router.
PAN-107126
Fixed an issue where an SSL inbound session cache corruption caused a process (all_pktproc) to stop responding.
PAN-106861
Fixed an issue where stale route entries remained in the FIB after the routes were removed from the routing table when you used a redistribution rule without a profile.
PAN-106857
Fixed an issue where the dataplane restarted due to an internal path monitoring failure Caused by large SSL decrypted file transfer sessions.
PAN-106543
Fixed an issue on a firewall in an HA active/active configuration where the show vpn ipsec-sa CLI command incorrectly returned an error message: Server error: An error occurred. See dagger.log for information when you ran the command on the active secondary firewall.
PAN-106344
Fixed an issue where the log collector within a collector group retained varying numbers of detailed firewall logs when you enabled log redundancy.
PAN-106274
Fixed an issue on a firewall where a Layer 2 interface that contained a VLAN sub-interface in conjunction with policy based forwarding (PBF) caused the firewall to forward the return traffic to the incorrect web interface.
PAN-106259
Fixed an issue on a firewall in an HA active/passive configuration where the passive firewall reported a higher number of GlobalProtect user accounts than the active firewall.
PAN-105925
Fixed an issue where the GlobalProtect Gateway web interface did not display the list of previous users.
PAN-105412
Fixed an issue where forward error correction (FEC) was disabled by default for AOC modules, which caused QSFP ports to flap or remain in the DOWN state. With this fix, FEC is enabled by default for AOC modules.
PAN-105397
Fixed an issue where a firewall incorrectly processed path monitoring, which originated from a NAT firewall on the same network segment.
PAN-105091
Fixed an issue on a firewall where stateful inspection failed, which caused the firewall to drop GTPv2-C Modify Bearer Request packets.
PAN-104568
Fixed an issue where the firewall did not send emails when you configured the email gateway with an FQDN.
PAN-104274
Addressed an issue where in a slow network environment the firewall displayed an error message: error online 1 at column 1: document is empty when you used an API call to fetch a license even when the auth code was successfully applied. Extremely slow networks may still see this issue.
PAN-103285
Fixed an issue where an API call (show system disk details), responded with the following error message: An error occurred. See dagger.log for information.
PAN-103225
Fixed an issue on Panorama M-Series and virtual appliances where the Task Manager did not display progress after you pushed a configuration to a firewall.
PAN-102979
Fixed an issue where Dynamic Updates did not display expired threat prevention licenses when you tried to install an application from Panorama.
PAN-102745
Fixed an intermittent issue on a firewall where a commit and FQDN refresh took longer than expected.
PAN-101970
Fixed an issue where the decode filter was unable to detect the end characters of a file name, which caused the firewall to bypass the file blocking profile.
PAN-101764
Fixed an issue where a process (slmgr) stopped responding during an auto-commit.
PAN-101379
Fixed an issue where an invalid Captive Portal authentication policy was successfully pushed to managed firewalls, which caused auto-commits to fail.
PAN-101052
Fixed an issue on Panorama M-Series and virtual appliances where Panorama unnecessarily checked and updated licenses for VM-Series firewalls on AWS after every commit, which resulted in new log entries. With this fix, Panorama no longer checks licenses after every commit.
PAN-100773
(PA-7000 Series firewalls only) Fixed an issue where the Quad Small Form-factor Pluggable (QSFP) port on a 20GQ NPC card took longer than expected to respond.
PAN-100742
Fixed an issue Panorama M-Series and virtual appliances where scheduled reports generated more than one DNS lookups, which caused inconsistent name resolutions for DNS deployments.
PAN-100693
Fixed an issue where you were unable to process Address Group match criteria when the match name included the double quotation ( " ) character.
PAN-99483
(PA-5250, PA-5260, and PA-5280) Fixed an issue where, when you deployed the firewall in a network that uses Dynamic IP and Port (DIPP) NAT translation with PPTP, client systems were limited to using a translated IP address-and-port pair for only one connection.
See Limitations for PA-7000 Series firewalls that do not use second-generation PA-7050-SMC-B or PA-7080-SMC-B Switch Management Cards.
PAN-99354
Fixed an issue where the firewall incorrectly denied URL access when the URL filtering profile was configured to alert.
PAN-99134
Fixed an issue where temporary files generated during preview changes did not get cleared, which caused disk space issues.
PAN-98746
Fixed an issue where GlobalProtect clientless VPN did not get redirected to the application URL when you used Internet Explorer as a web browser.
PAN-97288
Fixed an issue on GlobalProtect Clientless VPN where the URL gets truncated when you exclude the domain from the Rewrite Exclude Domain List (NetworkGlobalProtectPortals<portal-name>Clientless VPNAdvanced Settings).
PAN-92872
Fixed an intermittent issue where the firewall sent packets incorrectly to an outgoing interface.
PAN-89820
Fixed an intermittent issue where the Data Filtering (MonitorData Filtering) and Threat Log (MonitorThreat) did not display file names when you transferred multiple files into a single session.
PAN-81778
Fixed an issue where scheduled reports did not generate as expected due to a race condition.