PAN-OS 9.0.4 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 9.0 (EoL)
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
-
- Changes to Default Behavior
- Associated Software and Content Versions
- Limitations
-
-
- PAN-OS 9.0.17 Known Issues
- PAN-OS 9.0.16 Known Issues
- PAN-OS 9.0.15 Known Issues
- PAN-OS 9.0.14 Known Issues
- PAN-OS 9.0.13 Known Issues
- PAN-OS 9.0.12 Known Issues
- PAN-OS 9.0.11 Known Issues
- PAN-OS 9.0.10 Known Issues
- PAN-OS 9.0.9 Known Issues
- PAN-OS 9.0.8 Known Issues
- PAN-OS 9.0.7 Known Issues
- PAN-OS 9.0.6 Known Issues
- PAN-OS 9.0.5 (and 9.0.5-h3) Known Issues
- PAN-OS 9.0.4 Known Issues
- PAN-OS 9.0.3 (and 9.0.3-h2 and 9.0.3-h3) Known Issues
- PAN-OS 9.0.2 (and 9.0.2-h4) Known Issues
- PAN-OS 9.0.1 Known Issues
- Known Issues Specific to the WildFire Appliance
-
-
- PAN-OS 9.0.17-h5 Addressed Issues
- PAN-OS 9.0.17-h4 Addressed Issues
- PAN-OS 9.0.17-h1 Addressed Issues
- PAN-OS 9.0.17 Addressed Issues
- PAN-OS 9.0.16-h7 Addressed Issues
- PAN-OS 9.0.16-h6 Addressed Issues
- PAN-OS 9.0.16-h5 Addressed Issues
- PAN-OS 9.0.16-h3 Addressed Issues
- PAN-OS 9.0.16-h2 Addressed Issues
- PAN-OS 9.0.16 Addressed Issues
- PAN-OS 9.0.15 Addressed Issues
- PAN-OS 9.0.14-h4 Addressed Issues
- PAN-OS 9.0.14-h3 Addressed Issues
- PAN-OS 9.0.14 Addressed Issues
- PAN-OS 9.0.13 Addressed Issues
- PAN-OS 9.0.12 Addressed Issues
- PAN-OS 9.0.11 Addressed Issues
- PAN-OS 9.0.10 Addressed Issues
- PAN-OS 9.0.9-h1 Addressed Issues
- PAN-OS 9.0.9 Addressed Issues
- PAN-OS 9.0.8 Addressed Issues
- PAN-OS 9.0.7 Addressed Issues
- PAN-OS 9.0.6 Addressed Issues
- PAN-OS 9.0.5-h3 Addressed Issues
- PAN-OS 9.0.5 Addressed Issues
- PAN-OS 9.0.4 Addressed Issues
- PAN-OS 9.0.3-h3 Addressed Issues
- PAN-OS 9.0.3-h2 Addressed Issues
- PAN-OS 9.0.3 Addressed Issues
- PAN-OS 9.0.2-h4 Addressed Issues
- PAN-OS 9.0.2 Addressed Issues
- PAN-OS 9.0.1 Addressed Issues
- PAN-OS 9.0.0 Addressed Issues
End-of-Life (EoL)
PAN-OS 9.0.4 Addressed Issues
PAN-OS® 9.0.4 addressed issues.
Issue ID | Description |
|---|---|
- | (Microsoft Azure only) Updates
to support changes in Azure Accelerated Networking (AN). |
WF500-4785 | Fixed a rare issue on WF-500 appliances
where the firewall did not respond after you upgraded the appliance from
a PAN-OS® 8.0.1 release to a PAN-OS 8.0.10 or later release. With
this fix, you can run the new debug software raid fixup auto CLI
command to recover the RAID controller. |
PAN-124658 | Fixed an issue where the timer system call
activated more frequently than expected, which caused higher than expected
CPU usage. |
PAN-123371 | Fixed an issue where the Wildfire® Analysis
Report incorrectly displayed the following error message: You are not authorized to access this page on the web interface. |
PAN-123079 | Fixed an intermittent issue where after
a configuration change, a commit caused the dataplane to stop responding. |
PAN-122804 | Fixed an issue on Panorama™ M-Series and
virtual appliances where the firewall stopped forwarding logs to Cortex™
Data Lake after you upgraded the cloud services plugin to 1.4. |
PAN-122489 | (Microsoft Azure only) Fixed an
issue where VM-Series firewalls incorrectly renamed (to eth)
interfaces connected to Mellanox appliances when Accelerated networking was
enabled on the firewall. |
PAN-122004 | (PA-5200 Series firewalls only)
Fixed an issue where the Quad Small Form-factor Pluggable (QSFP) 28
ports 21 and 22 did not respond when plugged in with a Finisar 100G
AOC cable. |
PAN-121449 | Fixed an issue where Remove Config (PanoramaPlugins)
did not remove the configuration for any plugins you have set up
on Panorama. |
PAN-121185 | Fixed an intermittent issue where domains
were not normalized, which caused an incorrect verdict response. |
PAN-120662 | (PA-7000 Series firewalls using PA-7000-20G-NPC
cards only) Fixed an intermittent issue where an out-of-memory
(OOM) condition caused the dataplane or internal path monitoring
to stop responding. |
PAN-120548 | Fixed an issue where the Captive Portal
request limit was ignored when you configured the Captive Portal authentication
method to browser-challenge. |
PAN-120409 | (PA-7000 Series firewalls only)
Fixed an issue where firewalls running a 20G Network Processing Card
(NPC) or a 20GQ NPC dropped stream control transmission protocol
(SCTP) connections due to incorrect session handling. |
PAN-120342 | Fixed an intermittent issue where the dataplane stopped
responding when processing a UDP packet that passed through an IPSec
tunnel. |
PAN-120194 | (Virtual and M-Series Panorama appliances
and Log Collectors only) Fixed an issue where closed Elasticsearch
(ES) indices were continuing to receive and re-queue logs, which
resulted in high CPU usage. |
PAN-119257 | Fixed an issue where the firewall could
not establish an IKEv2 connection with SHA256 certificates. |
PAN-119187 | (Panorama only) Fixed an issue
where a file lock was released before the lock was taken, which triggered
an erroneous maximum connection timeout that prevented administrators
from logging in to and executing commands from the command-line
interface (CLI). |
PAN-119030 | Fixed an issue on Panorama M-Series and
virtual appliances where bootstrapped managed firewalls were disconnected
after you performed a partial revert if you did not first perform
a manual commit. With this fix, the manual commit is not required. |
PAN-118964 | Fixed an issue on VM-Series firewalls where
single root I/O virtualization (SR-IOV) did not support packet mmap
in access mode and DPDK mode. |
PAN-118784 | Fixed an intermittent issue where the firewall dropped
a message: Update PDP Context Response and
did not update the General Packet Radio Service (GPRS) Tunneling
Protocol for User Data (GTP-U). |
PAN-118509 | Fixed an issue on Panorama M-Series and
virtual appliances where shared policies were out of sync due to
an empty stream control transmission protocol (SCTP) after you upgraded
the firewall from PAN-OS 8.0.16 to PAN-OS 8.1.8. |
PAN-118423 | Fixed an intermittent issue with local high
availability (HA) status changes where a process (mprelay)
failed to commit changes to the HA state. |
PAN-118411 | Fixed an issue where ARP entries took longer
than expected to age out in a single run. |
PAN-118407 | Fixed an issue where an internal path monitoring failure
due to a buffer leak caused the firewall to reboot. |
PAN-117923 | Fixed an issue where the management server stopped
responding when an incorrect filter was used to filter traffic logs
instead of displaying an error message. |
PAN-117921 | Fixed an issue where you were unable to
create GTP inner sessions, which caused the firewall to drop GTP-U data
packets when the firewall was deployed on S1-U and S-11 interfaces. |
PAN-117916 | Fixed an issue where the dataplane stopped responding
when you pushed permitted IP addresses from Panorama to managed
firewalls. |
PAN-117720 | (GlobalProtect™ Clientless VPN environments only)
Fixed an issue where a process (all_pktproc) stopped
responding and caused the firewall to restart unexpectedly when
processing GlobalProtect Clientless VPN traffic. To leverage this
fix, you must first upgrade (DevicesDynamic Updates) to GlobalProtect Clientless
VPN content release 79 or a later release. |
PAN-116807 | (PA-7000, PA-5200, and PA-3200 Series
firewalls only) Fixed an issue where the firewall dropped ICMP error
messages when the security policy was configured to allow ICMP. |
PAN-116798 | Fixed an issue on Panorama M-Series and
virtual appliances where the progress bar for a commit all job incorrectly
remained at 0% after a job was completed. |
PAN-116769 | Fixed an issue where a process (pan_comm)
stopped responding due to a memory allocation error. |
PAN-116729 | Fixed an issue where you were unable to
deploy bootstrapped content in offline environments due to content
validity checks. |
PAN-116634 | Fixed an issue where the date in the GlobalProtect HTTP
header was incorrectly set to a random date instead of a zero (0),
which negatively and falsely impacted security scorecard ratings. |
PAN-116613 | Fixed an issue on a VM-Series firewall deployed
in Microsoft Azure where packets dropped silently due to a kernel
error. |
PAN-116513 | Fixed an issue where VM-Series firewalls
did not bootstrap successfully when you included the software version
in the software folder of the bootstrap package. |
PAN-116436 | (Panorama virtual appliances only)
Fixed an issue where a disk calculation error resulted in an erroneous
opt/panlogs/ partion full condition and caused a process (CDB)
to stop responding. |
PAN-116416 | Fixed an issue on Panaorama M-Series and
virtual appliances where a process (configd) stopped
responding when you performed a commit to a large number of firewalls. |
PAN-116383 | Fixed an issue with Panorama on Azure where
the configuration of an HA pair became out of sync due to different
plugin versions being detected even though the same versions were
installed on both peers. |
PAN-116280 | Fixed an issue where the firewall displayed
a static route warning when the next hop IP address was not included
in the subnet of the outgoing interface. |
PAN-116227 | Fixed an issue on Panorama M-Series and
virtual appliances where traffic logs did not display data when
the IPv6 address filter is based on netmask. |
PAN-116218 | Fixed an issue where the test routing bgp virtual-router default restart peer Peer-v6 CLI
command did not execute the operational request and returned the
following error message: op command for client routed timed out as client is not available. |
PAN-116128 | Fixed an issue where a process (logrcvr)
stopped responding when packet captures (pcap) were generated for
HTTP2 traffic. |
PAN-116123 | Fixed an issue where a process (devsrvr)
stopped responding when you performed a commit or a configuration
validation when the proxy ID contained 24 or more characters. |
PAN-115856 | Fixed an issue where Dynamic IP and Port
(DIPP) NAT pools did not release used ports after all sessions were removed. |
PAN-115852 | Fixed an issue on VM-Series firewalls on
AWS where you could not change maximum transmission unit (MTU) values
from the web interface and displayed the following error message: Malformed Request. |
PAN-115794 | Fixed an issue where, after you upgraded
the firewall from PAN-OS 8.1.5 to PAN-OS 9.0.0, the firewall displayed the
following validation error: plugins 'read-only' is not an allowed keyword. |
PAN-115792 | Fixed an issue where after a refresh of
the external dynamic list values from the previous list were not
retained, which caused the list values to display 0.0.0.0 and
displayed the following error message: HTTP/1.1 500 Internal Server Error. |
PAN-115748 | Fixed an intermittent issue on Panorama
M-Series and virtual appliances where a memory issue caused the firewall
to reboot. |
PAN-115738 | Fixed an issue where data logs were generated
but the firewall did not forward the logs to the syslog server. |
PAN-115695 | Fixed an intermittent issue where a large
number of packets were received before acknowledgments were complete,
which depleted descriptor queue entries and resulted in high latency
during data transfers even though CPU usage looked normal. |
PAN-115450 | Fixed a rare issue where a race condition
occurred between daemons during a tunnel re-key, which caused BGP
sessions to drop from Large Scale VPN tunnels. To leverage this
fix, you must run the debug rasmgr delay-nh-update CLI command. |
PAN-115354 | Fixed an issue on Panorama M-Series and
virtual appliances where renaming a device group followed by a partial
commit did not change the device group hierarchy as expected. |
PAN-115287 | Fixed an issue where commits failed and
displayed the following error message: Commit job was not queued. All daemons are not available. |
PAN-115219 | Fixed an issue on Panorama M-Series and
virtual appliances where Global Find caused the web interface to stop
responding when you searched for common English words. |
PAN-115186 | Fixed an issue where SaaS reports were not generated
due to report definitions not getting pushed to the log collector. |
PAN-114958 | Fixed an issue where the User-ID™ (useridd)
process consumed more CPU cycles than expected when you configured
User-ID redistribution. |
PAN-114889 | Fixed an issue where a Panorama template
push to a firewall with a PAN-OS 8.1 release or earlier resulted
in the deletion of split tunnel configurations when any address objects
or address groups are included. With this fix, you still must remove
all address groups before pushing templates to a PAN-OS 8.1 or earlier
release. |
PAN-114867 | Fixed an issue where GlobalProtect gateway
client configuration generation failed when a matching rule existed. |
PAN-114844 | Fixed an issue on Panorama M-Series and
virtual appliances where malformed API calls caused the firewall
to reboot. |
PAN-114779 | Fixed an issue where log purging took longer
than expected, which prevented the firewall from capturing traffic
logs. |
PAN-114567 | Fixed an issue where the Eventid eq globalprotectportal-config-succ system query
caused the management server (mgmtsrvr) process to
stop responding. |
PAN-114566 | Fixed an issue where after a commit the
firewall displayed the following error message: No Valid DNS Security License even
when the license was valid and successfully applied. |
PAN-114533 | Fixed an issue where traffic was blocked
by the safe search enforcement instead of the intended allow rule. |
PAN-114526 | Fixed an issue where larger than expected
number of packets sent over a GTP-U tunnel caused packet captures to
fill the files faster than expected. With this fix, you can run
the debug dataplane packet-diag set capture gtpu-lvl [1-30] command
to ensure GTP-U traffic are captured. |
PAN-114475 | Fixed an issue where Panorama in FIPS mode defaulted
to FIPS-CC mode instead of Normal mode. |
PAN-114427 | Fixed an issue where an empty host name
in the HTTP header caused a web server process (websrvr)
to stop responding when you accessed the captive portal redirect
page. |
PAN-114264 | Fixed an issue where sessions were offloaded
as the application identification was performed when you configured
a custom application with Continue scanning for other
application. |
PAN-114160 | Fixed an issue where you were unable to
download ZIP files greater than 3GB through a GlobalProtect Clientless
VPN application. |
PAN-114105 | Fixed an issue on a Panorama M-Series appliance where
the Summary (PanoramaManaged
DevicesSummary)
web interface refreshes every 10 seconds when set to manually refresh. |
PAN-114090 | Fixed an issue on a Panorama virtual appliance
in Legacy mode and in an HA active/passive configuration where logs
were forwarded only to the active firewall. |
PAN-114002 | Fixed an issue where you were unable to
import variable CSV files when variable names contained a character
space. |
PAN-113971 | (PA-7000 Series firewalls only)
Fixed an issue where the High Speed Chassis Interconnect (HSCI) link
flapped after you rebooted the firewall. |
PAN-113930 | Fixed an issue on VM-Series firewalls where
CPU loads were uneven across cores when more than 8 cores were allocated
to the dataplane. |
PAN-113912 | Fixed an issue where a process (ikemgr)
stopped responding and caused the firewall to reboot. |
PAN-113887 | Fixed an issue where loading custom app
tags did not complete successfully, which prevented subsequent requests
(such as commits, content installs, and FQDN refreshes) from executing
as expected. |
PAN-113870 | Fixed an issue where Security policies were
not evaluated in sequential order when the policy was based on URL
categories. |
PAN-113796 | Fixed an issue where GlobalProtect configured
with the pre-logon then on-demand connect
method was unable to authenticate during pre-logon when
you configured the portal and gateway with an Authentication Override
and without a certification profile. |
PAN-113767 | Fixed an issue where the firewall silently
dropped packets when security profiles were attached and FPGA enabled
AHO and DFA. |
PAN-113619 | Fixed an issue where the GlobalProtect gateway
did not assign an IP address when the local IP address was a supernet
of the GlobalProtect pool. |
PAN-113501 | Fixed an issue where the Panorama management server
returned a Security Copy (SCP) server connection error after you
created an SCP Scheduled Config Export profile (PanoramaScheduled Config Export)
due to the SCP server password exceeding 15 characters in length. |
PAN-113229 | Fixed an issue on Panorama M-Series and
virtual appliances in an HA active/passive configuration where the passive
firewall displayed an out-of-sync shared policy status when you
edited the Device Group. |
PAN-113185 | Fixed an issue where the passive firewall
in an HA active/passive configuration was processing traffic. |
PAN-112988 | Fixed an issue where a process (useridd)
leaked memory, which caused the firewall to drop traffic and display
the following error message: Out-of-memory condition detected, kill process. |
PAN-112972 | Fixed an issue where scheduled reports were
not generated as expected when you added groups in a query builder. |
PAN-112566 | Fixed an issue where the GlobalProtect Client
was unable to download files from a web interface, sessions went
into DISCARD state, and displayed the following message: Packet dropped, control plane service not allowed. |
PAN-112529 | Fixed an issue where the firewall incorrectly
sent several benign critical content alerts daily. |
PAN-112467 | Fixed an issue where obsolete IPv6 Neighbor Discovery
(ND) entries did not clear as expected, which caused the IPv6 table
to reach full capacity and caused new IPv6 ND entries to fail. |
PAN-112308 | Fixed an issue where hardware security module (HSM)
accounts were locked out after three attempts when you ran the show hsm ha-status CLI
command. |
PAN-112016 | Fixed an issue on VM-Series firewalls where
the physical port counters on the dataplane interfaces did not increase
on KVM when you disabled DPDK. |
PAN-111698 | Fixed an issue where administrators were
unable to log in when character spaces were used in usernames. |
PAN-111660 | Fixed an issue where an incorrect SSH key initialization
caused a process (pan_comm) to stop responding every
15 minutes when you configured an SSH proxy on the firewall. |
PAN-110990 | Fixed an issue where a logical operation not configured
with receive_time in the traffic log filter did not respond
as expected. |
PAN-110960 | Fixed an issue on Panorama M-Series and
virtual appliances where commits failed when you configured an address
group object in the Include List (NetworkZone<zone-name>Include List). |
PAN-110839 | Fixed a rare issue where a commit pushed
from Panorama failed, which caused a process (routed)
to stop responding. |
PAN-110628 | Fixed an issue where user groups were deleted
from the Group Include List ("DeviceUser identificationGroup Mapping Settings<group-name>Group
Include List) if you changed the LDAP server
profile account password. |
PAN-110234 | Fixed an issue where administrators with
a Superuser (read-only) role was able to initiate a commit through
the CLI. |
PAN-110168 | Fixed an issue where the firewall and Panorama
web interface did not present HSTS headers to your web browser. |
PAN-109803 | Fixed an issue where credential phishing
prevention did not detect user or password phishing when passwords, which
contained two discontiguous character spaces were used. |
PAN-109759 | Fixed an issue where the firewall did not
generate a notification for the GlobalProtect client when the firewall denied
unencrypted TLS sessions due to an authentication policy match. |
PAN-107207 | Fixed an issue where the VPN tunnel operational status
incorrectly displays up even though
the VPN tunnel is down. |
PAN-106889 | Fixed a rare issue on a firewall in an HA active/passive
configuration running in FIPS-CC mode where the passive firewall
rebooted in to maintenance mode. |
PAN-106628 | Fixed an issue where the firewall did not
generate a system log when the firewall detected a RAM issue. |
PAN-106449 | Fixed an issue when you connected to an
internal GlobalProtect gateway on a firewall in an HA active/passive configuration
and authenticated with multi-factor authentication (MFA) to access
a resource, the first and second authentication factors succeeded
but you would not be redirected to the actual resource. |
PAN-106100 | (PA-3200 Series firewalls only)
Fixed an issue on a firewall in an HA active/active configuration where
SSL traffic through the GlobalProtect VPN (in SSL mode) tunnel stopped
responding after Layer 7 processing completed and when asymmetric
routing occurred. |
PAN-105286 | Fixed an issue where the firewall did not
record email header information in Data Filtering logs when you triggered
a test mail that contained a data leak prevention (DLP) pattern. |
PAN-104909 | Fixed an issue where the firewall incorrectly forwarded
traffic when you configured the ingress interface with a QoS policy
and the egress interface as a tunnel. |
PAN-104808 | Fixed an issue where scheduled SaaS reports generated
and emailed empty PDF reports. |
PAN-104251 | Fixed an issue where the syslog server TCP keep-alive
parameter caused the connection to unexpectedly age out. |
PAN-103865 | Fixed an issue where the firewall did not
detect user credentials when the number of users exceeded 60,000. |
PAN-103847 | Fixed a memory buffer allocation issue that
caused the Session Initiation Protocol (SIP) traffic NAT to stop responding. |
PAN-101613 | (PA-800 Series firewalls only)
Fixed an intermittent issue where a congestion condition occurred during
periods of low traffic. With this fix, run the set system setting hol-system enable CLI
command to enable the HOL system mode. |
PAN-84670 | Fixed an issue where firewalls that were
not configured to decrypt HTTPS services and applications traffic
allowed users without valid authentication timestamps to access
those resources regardless of Authentication Policy settings. To
prevent such access, either configure the firewall to decrypt traffic
or run the debug device-server cp-allow-encrypted-disable on command and
execute a commit force CLI command (this
command will persist across reboots). |