PAN-OS 9.0.4 Addressed Issues

PAN-OS® 9.0.4 addressed issues.
Issue ID
Description
-
(
Microsoft Azure only
) Updates to support changes in Azure Accelerated Networking (AN).
WF500-4785
Fixed a rare issue on WF-500 appliances where the firewall did not respond after you upgraded the appliance from a PAN-OS® 8.0.1 release to a PAN-OS 8.0.10 or later release. With this fix, you can run the new
debug software raid fixup auto
CLI command to recover the RAID controller.
PAN-124658
Fixed an issue where the timer system call activated more frequently than expected, which caused higher than expected CPU usage.
PAN-123371
Fixed an issue where the Wildfire Analysis Report incorrectly displayed the following error message:
You are not authorized to access this page on the web interface
.
PAN-123079
Fixed an intermittent issue where after a configuration change, a commit caused the dataplane to stop responding.
PAN-122804
Fixed an issue on Panorama™ M-Series and virtual appliances where the firewall stopped forwarding logs to Cortex Data Lake after you upgraded the cloud services plugin to 1.4.
PAN-122489
(
Microsoft Azure only
) Fixed an issue where VM-Series firewalls incorrectly renamed (to
eth
) interfaces connected to Mellanox appliances when
Accelerated networking
was enabled on the firewall.
PAN-122004
(
PA-5200 Series firewalls only
) Fixed an issue where the Quad Small Form-factor Pluggable (QSFP) 28 ports 21 and 22 did not respond when plugged in with a Finisar 100G AOC cable.
PAN-121449
Fixed an issue where
Remove Config
(
Panorama
Plugins
) did not remove the configuration for any plugins you have set up on Panorama.
PAN-121185
Fixed an intermittent issue where domains were not normalized, which caused an incorrect verdict response.
PAN-120662
(
PA-7000 Series firewalls using PA-7000-20G-NPC cards only
) Fixed an intermittent issue where an out-of-memory (OOM) condition caused the dataplane or internal path monitoring to stop responding.
PAN-120548
Fixed an issue where the Captive Portal request limit was ignored when you configured the Captive Portal authentication method to browser-challenge.
PAN-120409
(
PA-7000 Series firewalls only
) Fixed an issue where firewalls running a 20G Network Processing Card (NPC) or a 20GQ NPC dropped stream control transmission protocol (SCTP) connections due to incorrect session handling.
PAN-120342
Fixed an intermittent issue where the dataplane stopped responding when processing a UDP packet that passed through an IPSec tunnel.
PAN-120194
(
Virtual and M-Series Panorama appliances and Log Collectors only
) Fixed an issue where closed Elasticsearch (ES) indices were continuing to receive and re-queue logs, which resulted in high CPU usage.
PAN-119257
Fixed an issue where the firewall could not establish an IKEv2 connection with SHA256 certificates.
PAN-119187
(
Panorama only
) Fixed an issue where a file lock was released before the lock was taken, which triggered an erroneous maximum connection timeout that prevented administrators from logging in to and executing commands from the command-line interface (CLI).
PAN-119030
Fixed an issue on Panorama M-Series and virtual appliances where bootstrapped managed firewalls were disconnected after you performed a partial revert if you did not first perform a manual commit. With this fix, the manual commit is not required.
PAN-118964
Fixed an issue on VM-Series firewalls where single root I/O virtualization (SR-IOV) did not support packet mmap in access mode and DPDK mode.
PAN-118784
Fixed an intermittent issue where the firewall dropped a message:
Update PDP Context Response
and did not update the General Packet Radio Service (GPRS) Tunneling Protocol for User Data (GTP-U).
PAN-118509
Fixed an issue on Panorama M-Series and virtual appliances where shared policies were out of sync due to an empty stream control transmission protocol (SCTP) after you upgraded the firewall from PAN-OS 8.0.16 to PAN-OS 8.1.8.
PAN-118423
Fixed an intermittent issue with local high availability (HA) status changes where a process (
mprelay
) failed to commit changes to the HA state.
PAN-118411
Fixed an issue where ARP entries took longer than expected to age out in a single run.
PAN-118407
Fixed an issue where an internal path monitoring failure due to a buffer leak caused the firewall to reboot.
PAN-117923
Fixed an issue where the management server stopped responding when an incorrect filter was used to filter traffic logs instead of displaying an error message.
PAN-117921
Fixed an issue where you were unable to create GTP inner sessions, which caused the firewall to drop GTP-U data packets when the firewall was deployed on S1-U and S-11 interfaces.
PAN-117916
Fixed an issue where the dataplane stopped responding when you pushed permitted IP addresses from Panorama to managed firewalls.
PAN-117720
(
GlobalProtect™ Clientless VPN environments only
) Fixed an issue where a process (
all_pktproc
) stopped responding and caused the firewall to restart unexpectedly when processing GlobalProtect Clientless VPN traffic. To leverage this fix, you must first upgrade (
Devices
Dynamic Updates
) to GlobalProtect Clientless VPN content release 79 or a later release.
PAN-116807
(
PA-7000, PA-5200, and PA-3200 Series firewalls only
) Fixed an issue where the firewall dropped ICMP error messages when the security policy was configured to allow ICMP.
PAN-116798
Fixed an issue on Panorama M-Series and virtual appliances where the progress bar for a commit all job incorrectly remained at 0% after a job was completed.
PAN-116769
Fixed an issue where a process (
pan_comm
) stopped responding due to a memory allocation error.
PAN-116729
Fixed an issue where you were unable to deploy bootstrapped content in offline environments due to content validity checks.
PAN-116634
Fixed an issue where the date in the GlobalProtect HTTP header was incorrectly set to a random date instead of a zero (
0
), which negatively and falsely impacted security scorecard ratings.
PAN-116613
Fixed an issue on a VM-Series firewall deployed in Microsoft Azure where packets dropped silently due to a kernel error.
PAN-116513
Fixed an issue where VM-Series firewalls did not bootstrap successfully when you included the software version in the software folder of the bootstrap package.
PAN-116436
(
Panorama virtual appliances only
) Fixed an issue where a disk calculation error resulted in an erroneous opt/panlogs/ partion full condition and caused a process (
CDB
) to stop responding.
PAN-116416
Fixed an issue on Panaorama M-Series and virtual appliances where a process (
configd
) stopped responding when you performed a commit to a large number of firewalls.
PAN-116383
Fixed an issue with Panorama on Azure where the configuration of an HA pair became out of sync due to different plugin versions being detected even though the same versions were installed on both peers.
PAN-116280
Fixed an issue where the firewall displayed a static route warning when the next hop IP address was not included in the subnet of the outgoing interface.
PAN-116227
Fixed an issue on Panorama M-Series and virtual appliances where traffic logs did not display data when the IPv6 address filter is based on netmask.
PAN-116218
Fixed an issue where the
test routing bgp virtual-router default restart peer Peer-v6
CLI command did not execute the operational request and returned the following error message:
op command for client routed timed out as client is not available
.
PAN-116128
Fixed an issue where a process (
logrcvr
) stopped responding when packet captures (pcap) were generated for HTTP2 traffic.
PAN-116123
Fixed an issue where a process (
devsrvr
) stopped responding when you performed a commit or a configuration validation when the proxy ID contained 24 or more characters.
PAN-115856
Fixed an issue where Dynamic IP and Port (DIPP) NAT pools did not release used ports after all sessions were removed.
PAN-115852
Fixed an issue on VM-Series firewalls on AWS where you could not change maximum transmission unit (MTU) values from the web interface and displayed the following error message:
Malformed Request
.
PAN-115794
Fixed an issue where, after you upgraded the firewall from PAN-OS 8.1.5 to PAN-OS 9.0.0, the firewall displayed the following validation error:
plugins 'read-only' is not an allowed keyword
.
PAN-115792
Fixed an issue where after a refresh of the external dynamic list values from the previous list were not retained, which caused the list values to display
0.0.0.0
and displayed the following error message:
HTTP/1.1 500 Internal Server Error
.
PAN-115748
Fixed an intermittent issue on Panorama M-Series and virtual appliances where a memory issue caused the firewall to reboot.
PAN-115738
Fixed an issue where data logs were generated but the firewall did not forward the logs to the syslog server.
PAN-115695
Fixed an intermittent issue where a large number of packets were received before acknowledgments were complete, which depleted descriptor queue entries and resulted in high latency during data transfers even though CPU usage looked normal.
PAN-115450
Fixed a rare issue where a race condition occurred between daemons during a tunnel re-key, which caused BGP sessions to drop from Large Scale VPN tunnels. To leverage this fix, you must run the
debug rasmgr delay-nh-update
CLI command.
PAN-115354
Fixed an issue on Panorama M-Series and virtual appliances where renaming a device group followed by a partial commit did not change the device group hierarchy as expected.
PAN-115287
Fixed an issue where commits failed and displayed the following error message:
Commit job was not queued. All daemons are not available
.
PAN-115219
Fixed an issue on Panorama M-Series and virtual appliances where Global Find caused the web interface to stop responding when you searched for common English words.
PAN-115186
Fixed an issue where SaaS reports were not generated due to report definitions not getting pushed to the log collector.
PAN-114958
Fixed an issue where the User-ID™ (
useridd
) process consumed more CPU cycles than expected when you configured User-ID redistribution.
PAN-114889
Fixed an issue where a Panorama template push to a firewall with a PAN-OS 8.1 release or earlier resulted in the deletion of split tunnel configurations when any address objects or address groups are included. With this fix, you still must remove all address groups before pushing templates to a PAN-OS 8.1 or earlier release.
PAN-114867
Fixed an issue where GlobalProtect gateway client configuration generation failed when a matching rule existed.
PAN-114844
Fixed an issue on Panorama M-Series and virtual appliances where malformed API calls caused the firewall to reboot.
PAN-114779
Fixed an issue where log purging took longer than expected, which prevented the firewall from capturing traffic logs.
PAN-114567
Fixed an issue where the
Eventid eq globalprotectportal-config-succ
system query caused the management server (
mgmtsrvr
) process to stop responding.
PAN-114566
Fixed an issue where after a commit the firewall displayed the following error message:
No Valid DNS Security License
even when the license was valid and successfully applied.
PAN-114533
Fixed an issue where traffic was blocked by the safe search enforcement instead of the intended allow rule.
PAN-114526
Fixed an issue where larger than expected number of packets sent over a GTP-U tunnel caused packet captures to fill the files faster than expected. With this fix, you can run the
debug dataplane packet-diag set capture gtpu-lvl [1-30]
command to ensure GTP-U traffic are captured.
PAN-114475
Fixed an issue where Panorama in FIPS mode defaulted to FIPS-CC mode instead of Normal mode.
PAN-114427
Fixed an issue where an empty host name in the HTTP header caused a web server process (
websrvr
) to stop responding when you accessed the captive portal redirect page.
PAN-114264
Fixed an issue where sessions were offloaded as the application identification was performed when you configured a custom application with
Continue scanning for other application
.
PAN-114160
Fixed an issue where you were unable to download ZIP files greater than 3GB through a GlobalProtect Clientless VPN application.
PAN-114105
Fixed an issue on a Panorama M-Series appliance where the Summary (
Panorama
Managed Devices
Summary
) web interface refreshes every 10 seconds when set to manually refresh.
PAN-114090
Fixed an issue on a Panorama virtual appliance in Legacy mode and in an HA active/passive configuration where logs were forwarded only to the active firewall.
PAN-114002
Fixed an issue where you were unable to import variable CSV files when variable names contained a character space.
PAN-113971
(
PA-7000 Series firewalls only
) Fixed an issue where the High Speed Chassis Interconnect (HSCI) link flapped after you rebooted the firewall.
PAN-113930
Fixed an issue on VM-Series firewalls where CPU loads were uneven across cores when more than 8 cores were allocated to the dataplane.
PAN-113912
Fixed an issue where a process (
ikemgr
) stopped responding and caused the firewall to reboot.
PAN-113887
Fixed an issue where loading custom app tags did not complete successfully, which prevented subsequent requests (such as commits, content installs, and FQDN refreshes) from executing as expected.
PAN-113870
Fixed an issue where Security policies were not evaluated in sequential order when the policy was based on URL categories.
PAN-113796
Fixed an issue where GlobalProtect configured with the
pre-logon then on-demand
connect method was unable to authenticate during
pre-logon
when you configured the portal and gateway with an Authentication Override and without a certification profile.
PAN-113767
Fixed an issue where the firewall silently dropped packets when security profiles were attached and FPGA enabled AHO and DFA.
PAN-113619
Fixed an issue where the GlobalProtect gateway did not assign an IP address when the local IP address was a supernet of the GlobalProtect pool.
PAN-113501
Fixed an issue where the Panorama management server returned a Security Copy (SCP) server connection error after you created an SCP Scheduled Config Export profile (
Panorama
Scheduled Config Export
) due to the SCP server password exceeding 15 characters in length.
PAN-113229
Fixed an issue on Panorama M-Series and virtual appliances in an HA active/passive configuration where the passive firewall displayed an out-of-sync shared policy status when you edited the Device Group.
PAN-113185
Fixed an issue where the passive firewall in an HA active/passive configuration was processing traffic.
PAN-112988
Fixed an issue where a process (
useridd
) leaked memory, which caused the firewall to drop traffic and display the following error message:
Out-of-memory condition detected, kill process
.
PAN-112972
Fixed an issue where scheduled reports were not generated as expected when you added groups in a query builder.
PAN-112566
Fixed an issue where the GlobalProtect Client was unable to download files from a web interface, sessions went into DISCARD state, and displayed the following message:
Packet dropped, control plane service not allowed
.
PAN-112529
Fixed an issue where the firewall incorrectly sent several benign critical content alerts daily.
PAN-112467
Fixed an issue where obsolete IPv6 Neighbor Discovery (ND) entries did not clear as expected, which caused the IPv6 table to reach full capacity and caused new IPv6 ND entries to fail.
PAN-112308
Fixed an issue where hardware security module (HSM) accounts were locked out after three attempts when you ran the
show hsm ha-status
CLI command.
PAN-112016
Fixed an issue on VM-Series firewalls where the physical port counters on the dataplane interfaces did not increase on KVM when you disabled DPDK.
PAN-111698
Fixed an issue where administrators were unable to log in when character spaces were used in usernames.
PAN-111660
Fixed an issue where an incorrect SSH key initialization caused a process (
pan_comm
) to stop responding every 15 minutes when you configured an SSH proxy on the firewall.
PAN-110990
Fixed an issue where a logical operation
not
configured with
receive_time
in the traffic log filter did not respond as expected.
PAN-110960
Fixed an issue on Panorama M-Series and virtual appliances where commits failed when you configured an address group object in the Include List (
Network
Zone
<zone-name>
Include List
).
PAN-110839
Fixed a rare issue where a dataplane restart or a commit triggered a large number of route updates, which caused a process (
routed
) to stop responding as expected.
PAN-110628
Fixed an issue where user groups were deleted from the Group Include List ("
Device
User identification
Group Mapping Settings
<group-name>
Group Include List
) if you changed the LDAP server profile account password.
PAN-110234
Fixed an issue where administrators with a Superuser (read-only) role was able to initiate a commit through the CLI.
PAN-110168
Fixed an issue where the firewall and Panorama web interface did not present HSTS headers to your web browser.
PAN-109803
Fixed an issue where credential phishing prevention did not detect user or password phishing when passwords, which contained two discontiguous character spaces were used.
PAN-109759
Fixed an issue where the firewall did not generate a notification for the GlobalProtect client when the firewall denied unencrypted TLS sessions due to an authentication policy match.
PAN-107207
Fixed an issue where the VPN tunnel operational status incorrectly displays
up
even though the VPN tunnel is down.
PAN-106889
Fixed a rare issue on a firewall in an HA active/passive configuration running in FIPS-CC mode where the passive firewall rebooted in to maintenance mode.
PAN-106628
Fixed an issue where the firewall did not generate a system log when the firewall detected a RAM issue.
PAN-106449
Fixed an issue when you connected to an internal GlobalProtect gateway on a firewall in an HA active/passive configuration and authenticated with multi-factor authentication (MFA) to access a resource, the first and second authentication factors succeeded but you would not be redirected to the actual resource.
PAN-106100
(
PA-3200 Series firewalls only
) Fixed an issue on a firewall in an HA active/active configuration where SSL traffic through the GlobalProtect VPN (in SSL mode) tunnel stopped responding after Layer 7 processing completed and when asymmetric routing occurred.
PAN-105286
Fixed an issue where the firewall did not record email header information in Data Filtering logs when you triggered a test mail that contained a data leak prevention (DLP) pattern.
PAN-104909
Fixed an issue where the firewall incorrectly forwarded traffic when you configured the ingress interface with a QoS policy and the egress interface as a tunnel.
PAN-104808
Fixed an issue where scheduled SaaS reports generated and emailed empty PDF reports.
PAN-104251
Fixed an issue where the syslog server TCP keep-alive parameter caused the connection to unexpectedly age out.
PAN-103865
Fixed an issue where the firewall did not detect user credentials when the number of users exceeded 60,000.
PAN-103847
Fixed a memory buffer allocation issue that caused the Session Initiation Protocol (SIP) traffic NAT to stop responding.
PAN-101613
(
PA-800 Series firewalls only
) Fixed an intermittent issue where a congestion condition occurred during periods of low traffic. With this fix, run the
set system setting hol-system enable
CLI command to enable the HOL system mode.
PAN-84670
Fixed an issue where firewalls that were not configured to decrypt HTTPS services and applications traffic allowed users without valid authentication timestamps to access those resources regardless of Authentication Policy settings. To prevent such access, either configure the firewall to decrypt traffic or run the
debug device-server cp-deny-encrypted on
command and perform a force commit (this command will persist across reboots).

Related Documentation