PAN-OS 9.0.5 Addressed Issues

PAN-OS® 9.0.5 addressed issues.
Issue ID
Description
WF500-5137
Fixed an issue where the
show wildfire global last-device-registration all
CLI command incorrectly returned an error message:
Failed
, even when you registered the firewall correctly.
PAN-128561
Fixed an issue where a process (
all_pktproc
) stopped responding after you upgraded the firewall to PAN-OS® 9.0.4.
PAN-128324
(
PA-7000 Series firewalls only
) Fixed an issue where internal path monitoring failures occurred due to either a buffer leak or buffer corruption.
PAN-127932
Fixed an issue where the REST API reference did not display the web browser documentation, which resulted in an error when running a PAN-OS 9.0.4 release.
PAN-127807
Fixed an issue on Panorama™ M-Series and virtual appliances where a process (
configd
) stopped responding when you performed a commit to a large number of firewalls.
PAN-127189
Fixed an issue where images displayed through the Clientless VPN were corrupted.
PAN-126921
(
PA-7000 Series firewalls only
) Fixed an issue where internal path monitoring failed when the firewall processed corrupt packets.
PAN-126697
Fixed an HTTPD issue with PHP where it leaked memory.
PAN-126547
Fixed an issue where a process (
configd
) stopped responding when an XML API call with
type=config&action=get
triggered during a commit.
PAN-126534
(
PAN-OS 8.1.10 and later releases only
) Fixed an issue where the data from Security policies did not export as expected.
PAN-126354
Fixed an issue where log in and commits took longer than expected when you used XML API calls to create new address objects.
PAN-125933
Fixed an issue where the receiving firewall deleted the host information profile (HIP) report due to the report containing the same IPv4 address in the IP and IP2 fields and caused a process (
useridd
) to stop responding.
PAN-125833
Fixed an issue on a firewall in a high availability (HA) active/passive configuration where a daemon (
routed
) did not receive the updated interface status after an HA failover, which caused routes to remain in the routing and FIB tables.
PAN-125775
Fixed an issue where Panorama management servers deployed using the C5 or M5 instance types on Amazon Web Services (AWS) caused the Panorama instance to stop responding in regions that supported these instance types.
PAN-125517
An enhancement was made to improve firewall performance for stream control transmission protocol (SCTP) flows. To enable this enhancement, run the
set sctp fast-sack yes
CLI command.
PAN-125515
Fixed an issue on VM-Series firewalls where the firewall dropped all traffic traversing from the dataplane to the management plane.
PAN-125478
Fixed an issue on a firewall in an HA active/passive configuration where the route to the passive firewall dropped during a failover.
PAN-125452
Fixed an issue where the firewall did not list registered addresses from the Dynamic Address Group when the same IP-tag information was received from two sources, which caused the traffic flow to stop responding as expected.
PAN-125346
An enhancement was made to enable you to configure IPv6 in the web interface and through a CLI command when you added IPv6 virtual addresses to a firewall in an HA active/active configuration.
PAN-125121
(
VM-Series firewalls only
) Fixed an issue where custom images did not function as expected for PAN-OS 9.0.
PAN-125069
An enhancement was made to enable you to delete the GTP-C tunnel with all GTP-U tunnel sessions after the firewall received a Delete Bearer Response message where default bearer ID=5. To enable this enhancement, run the
set gtp ebi5-del-gtpc [yes/no]
CLI command.
PAN-124996
Fixed an issue where a GlobalProtect™ daemon (
rasmgr
) stopped responding when you connected with an overlapping IPv6 address, which caused subsequent GlobalProtect connections to fail.
PAN-124890
Fixed a configuration lock issue where you were unable to log in after you upgraded from PAN-OS 8.1.6 to PAN-OS 8.1.9.
PAN-124630
Fixed an issue where new logs were not ingested due to a buffer exhaustion condition caused by invalid messages incorrectly handled by elastic search.
PAN-124481
Fixed an issue where the dataplane stopped responding when SMTP sessions were used.
PAN-124299
Fixed an issue on VM-Series firewalls in an HA active/passive configuration where the active firewall leaked packet buffers when links were disconnected from the hypervisor.
PAN-123850
(
PA-5200 and PA-7000 Series firewalls only
) Fixed an issue where conflicting GTP sessions were installed in short interval, which caused the firewall to queue GTP packets and deplete packet buffers.
PAN-123600
Fixed an issue where the firewall was unable to establish a connection to the DNS Security feature domain (dns.service.paloaltonetworks.com) when the firewall could not connect with the primary DNS server but could connect with the secondary DNS server.
PAN-123446
Fixed an issue where an administrator with a Superuser role could not reset administrator credentials.
PAN-123362
Fixed an issue where the firewall used more than expected virtual memory when you decreased the maximum elastic search heap size.
PAN-123190
Fixed an issue on a firewall in an HA active/passive configuration where a process (
useridd
) restarted multiple times and caused the firewall to reboot.
PAN-123030
Fixed an issue with a memory leak associated with a process (
mgmtsrvr
) when you pushed a commit.
PAN-122662
(
PA-5260 firewalls only
) Fixed an issue where a process (
mpreplay
) stopped responding after a commit when you configured the firewall with more than 200 virtual systems (vsys) running on PAN-OS 8.1.9.
PAN-122601
Fixed a memory leak issue with a process (
configd
) when you performed device group related operations.
PAN-122550
Fixed an issue where VM-Series firewalls on Microsoft Azure experienced traffic latency due to an incompatible driver.
PAN-121945
Fixed an issue on Panorama M-Series and virtual appliances where after you deployed the firewall in Google Cloud the Panorama serial console stopped responding.
PAN-121911
Fixed an issue where a process (
logrcvr
) restarted during commits.
PAN-121667
Fixed an issue where traffic incorrectly matched Security policies when configured static address groups and FQDN IP addresses on Security policies overlapped.
PAN-121523
Fixed an issue where an API call triggered memory errors, which caused a process (
configd
) to stop responding and triggered
SIGABRT
logs.
PAN-121447
Fixed an issue where the BGP did not remove the IPv6 default route from the forwarding table after the route was withdrawn.
PAN-121133
Fixed an issue on Panorama M-Series and virtual appliances where a validation job triggered a memory leak in a process (
configd
), which caused context switching between Panorama and the web interface to respond slower than expected.
PAN-121001
Fixed an issue where the firewall only reported a maximum of two logs when you configured more than two hardware security modules (HSM).
PAN-120901
Fixed an issue on Panorama M-Series and virtual appliances where partial commits did not apply configuration changes as expected.
PAN-120361
Fixed an issue on Panorama M-Series and virtual appliances where objects were not compressed, which caused higher than expected CPU and memory usage.
PAN-120287
Fixed a JavaScript error due to an incorrect HTTP response, which prevented GlobalProtect Clientless VPN applications to load.
PAN-120151
Fixed an issue where the DNS packet parser incorrectly processed DNS packet headers when the QD count is 0. With this fix, the DNS packet parser aborts further processing when QD != 1.
PAN-119765
Fixed an intermittent issue where the firewall dropped sessions that used a large number of predict sessions.
PAN-119680
Fixed a rare issue where the
show running
CLI commands for policy addresses caused file descriptor leaks.
PAN-119289
Fixed an issue on Panorama M-Series and virtual appliances where you were unable to query Cortex™ Data Lake by the serial number filter.
PAN-119225
Fixed an issue where an inaccurate sequence number check for an RST packet caused the packet to drop.
PAN-119185
Fixed an issue where a process (
panio
) caused more than expected CPU consumption.
PAN-119172
Fixed an issue where the firewall incorrectly enforced URL category policies and erroneously triggered
alert
instead of
block
.
PAN-118985
Fixed an issue on Panorama M-Series and virtual appliances where a process (
configd
) experienced high memory utilization and a memory leak condition, which caused slower than expected performance.
PAN-118881
Fixed an issue where the user domain information was missing from the user IP mapping entry when you configured
Allow Authentication with User Credentials or Client Certificate
to
Yes
while using a client certificate for GlobalProtect authentication.
PAN-118783
Fixed an intermittent issue where a daemon (
dnsproxy
) stopped responding when you configured an HTTP proxy on the firewall.
PAN-118762
Fixed an issue where the GlobalProtect portal used an outdated jQuery library.
PAN-118720
Fixed an issue on a firewall in an HA active/active configuration where Oracle traffic SYN packets dropped intermittently with the
flow_fpp_owner_err_no_predict
counter.
PAN-118628
Fixed an issue where after you deployed Panorama in Azure, you were unable to log in to Panorama with the username and password that was provided during the deployment process.
PAN-118583
Fixed a memory allocation issue that prevented URL filtering logs from displaying the full URL.
PAN-118430
Fixed an issue where pushed template configurations were overridden when you made a configuration change in the Master Key
Lifetime
(
Device
Master Key and Diagnostic
Edit
) field.
PAN-118370
Fixed an issue where the firewall displayed incorrect application dependency warnings during commits when a Security policy used a wildcard address.
PAN-118277
Fixed an issue where the firewall stopped responding due to a race condition.
PAN-118256
Fixed an issue where a DNS Security signature response from a cloud service caused a daemon (
dnsproxyd
) to stop responding.
PAN-118183
Fixed an issue where a process (
dnsproxyd
) stopped responding due to higher than expected CPU usage.
PAN-118180
Fixed an issue on firewalls configured with authentication policies where UDP and ICMP packets matching an authentication policy did not generate traffic logs as defined in the Security policy when sessions were redirected or denied.
PAN-118057
Fixed an issue on a firewall in an HA active/passive configuration where a process (
all_pktproc
) stopped responding and the dataplane restarted, which caused an internal path monitoring failure and an HA failover event.
PAN-118055
Fixed an issue where administrators were unable to export Security Assertion Markup Language (SAML) metadata files from virtual system (vsys) specific authentication profiles.
PAN-117959
Fixed an issue where LDAP authentication failed when you configured the authentication server with an FQDN.
PAN-117907
Fixed an issue where the date and time provided for a request license information output did not match the show clock output provided by the NTP server.
PAN-117900
Fixed an issue where commits failed when you moved an object referenced in a policy to a shared group.
PAN-117888
Fixed an issue where the firewall was unable to detect the hardware security module (HSM), which caused the firewall to drop SSL traffic.
PAN-117878
Fixed an issue where you were unable to add a service definition to the NSX manager and the following error message displayed:
Failed to create object service-definition. Ret code is 400
.
PAN-117835
Fixed an intermittent issue where a process (
all_pktproc
) stopped responding, which caused a heartbeat failure and the firewall to drop LACP and OSPF connections.
PAN-117738
(
PA-3050 and PA-3060 firewalls only
) Fixed an issue where a higher than expected number of
flow_fpga_flow_update
messages occurred when you configured QoS.
PAN-117727
Fixed an issue where job threads were deadlocked, which prevented log in attempts and displayed the following error message:
CONFIG_LOCK: write lock TIMEDOUT for cmd
.
PAN-117384
Fixed an issue on Panorama M-Series and virtual appliances where the connection between Panorama and managed firewalls timed out when you upgraded PAN-OS 9.0.0 to PAN-OS 9.0.1 and displayed the following error message:
Error - time out sending/receiving message
.
PAN-117303
Fixed an issue where the BGP aggregate prefix, which is advertised to multiple BGP peers was removed from RIB OUT when you disabled one of the BGP peers.
PAN-117120
Fixed an issue on Panorama M-Series and virtual appliances where a process (
configd
) restarted due to virtual memory issues.
PAN-117086
Fixed an issue where community attributes to BGP routes had a character limit of 31 characters, which caused expressions to take longer than expected to process.
PAN-117068
Fixed an issue on Panorama M-Series and virtual appliances where memory utilization increased more than expected when you deleted several rules with an XML API delete command.
PAN-116977
Fixed an issue on VM-Series firewalls where you could not upgrade to PAN-OS 9.0.1 or a later release with a pre-licensed firewall.
PAN-116949
Fixed a memory leak issue with a process (
mprelay
), which caused the dataplane to restart.
PAN-116903
Fixed an issue on Panorama M-Series and virtual appliances where you were unable to configure
Enable X-Auth Support
(
Network
GlobalProtect
Gateways
Template
<Template-stack>
Agent
Tunnel Settings
) at the Template-stack level.
PAN-116772
Fixed an issue where the firewall sent empty attributes in the LDAP query when you did not configure
Alternate Username 1 - 3
(
Device
User Identification
Group Mapping Settings
<group-name>
User and Group Attributes
) in the User Attributes web interface.
PAN-116708
Fixed an issue where administrators were unable to export policies and objects in PDF format.
PAN-116611
Fixed an issue where an API call for correlated events did not return any events.
PAN-116473
Fixed an issue where the firewall logged URL categories configured for Allow in the URL filtering logs.
PAN-116334
Fixed an issue where a process (
mgmtsrvr
) leaked memory caused by SNMP traps.
PAN-116286
Fixed an issue where commits failed after you upgraded from PAN-OS 8.0.16 to PAN-OS 8.1.6 due to an invalid encryption state for a host information profile (HIP) object.
PAN-116274
Fixed an issue where the firewall was unable to authenticate when you pushed a public key from Panorama.
PAN-116189
Fixed an issue where Session Initiation Protocol (SIP) calls failed and displayed the following error message:
end-reason: resources-unavailable
.
PAN-115990
Fixed an issue where the FQDN address object (
Policy
Security
<address-object>
Value
) displayed the following unrelated error:
<FQDN-name>
Not used
.
PAN-115959
Fixed an issue where DNS names with more than 63 characters did not resolve FQDN address objects during an FQDN refresh.
PAN-115890
Fixed an issue where the
show system info
CLI command incorrectly displayed
VMware ESXi
as
VMWare ESXi
.
PAN-115879
Fixed an issue on a firewall where a bypass switch sent heartbeat messages to the firewall, which triggered non-stop link status change interrupts through a Marvell switch.
PAN-115697
Fixed CVE-2019-17437, see PAN-SA-2019-0038 for details.
PAN-115549
Fixed an issue where predict sessions were incorrectly created with a
captive-portal
zone, which caused the firewall to drop RTP traffic.
PAN-115349
Fixed an issue where an incorrect predict session was created when a policy-based forwarding (PBF) policy was used without a NAT in the parent session, which caused the firewall to drop RTP and RTCP packets.
PAN-115344
Fixed an issue where the Username Modifier
%USERDOMAIN%\%USERINPUT%
enabled you to log in to a locked out user account.
PAN-115340
Fixed an issue on a firewall in an HA active/passive configuration where the passive firewall experienced higher than expected dataplane CPU usage caused by HA IPSec messages bouncing between dataplanes.
PAN-115282
Fixed an issue where temporary download files were deleted before a download job was completed, which caused the progress bar to remain at 0% and prevented a timeout when downloads fail.
PAN-115281
Fixed an issue where the firewall did not resolve an external dynamic list server address when the DNS proxy configured it as a static entry.
PAN-115110
An enhancement was made to enable you to configure syslog parameters through the CLI debug command. To view the available parameters and change the configurations, run the
debug syslogng-params settings
CLI command and perform a commit force to apply the edits.
PAN-115108
Fixed an issue on Panorama M-Series and virtual appliances where scheduled uploading and installation of WildFire® content meta files to WF-500 appliances failed and displayed the following error message:
device not supported
.
PAN-114880
Fixed an issue where the
debug management-server summary-logs flush-options max-keys
CLI command did not persist through a system reboot.
PAN-114771
Fixed an issue on Panorama M-Series and virtual appliances where
Decrypt Mirror
(
Objects
Decryption
Decryption Profile
<Device Group-name>
) did not appear in the
Interface
drop-down menu when you tried to configure a Decryption Profile.
PAN-114667
Fixed an issue on a firewall in an HA active/passive configuration where a split-brain condition occurred after you upgraded from PAN-OS 8.1.3 to PAN-OS 8.1.6.
PAN-114628
Fixed an issue where Panorama was unable to query logs forwarded from the firewall to the log collector.
PAN-114540
Fixed an issue where renaming a template stack did not change the value and reset to the original value after you commit the change.
PAN-114456
Fixed an issue where extended packet capture (pcap) for threat logs caused a process (
mgmtsrvr
) to stop responding.
PAN-114270
Fixed an issue where the firewall dropped TCP trace route traffic after you upgraded to PAN-OS 8.1.5. To leverage this fix, run the
set session tcp-reject-diff-syn no
CLI command.
PAN-114247
Fixed an issue where a larger than expected number of
Could not find entry for interface ethernet1/<interface>.<subinterface> in CPS table
filled the snmpd.log, which caused the log file to rotate more frequently than expected.
PAN-113610
Fixed an issue where Panorama incorrectly deleted valid device group directories and was unable to generate reports.
PAN-113606
Fixed an issue where the Throughput column (
Panorama
Managed Devices
Health
) was incorrectly labeled.
PAN-113261
(
PA-5200 Series firewalls only
) Fixed an issue where the total entries for the URL filtering allow list, block list, and custom categories were incorrectly set to an entry limit value other than 100,000.
PAN-113162
Fixed an issue where you were unable to create shared URL filtering profiles from the Panorama web interface.
PAN-112661
Fixed an issue where you were unable to access a firewall due to a defective small form-factor pluggable (SFP)/SFP+ module inserted into the firewall.
PAN-111544
Fixed an issue on Panorama M-Series and virtual appliances configured as log collectors where SSH did not respond after you enabled SSH on ethernet1/1.
PAN-110685
Fixed a rare issue where an incorrect User-ID™ match to the respective LDAP group caused a security policy mismatch.
PAN-110098
Fixed an issue on a firewall in an HA active/passive configuration where you were unable to synchronize configurations or dynamic updates between HA pairs.
PAN-109874
Fixed a memory leak issue on a firewall during a commit, which prevented the firewall from generating GlobalProtect client configurations.
PAN-108876
Fixed an issue where the firewall dropped Session Initiation Protocol (SIP) registration packets, which caused SIP sessions to fail.
PAN-108373
Fixed an issue where an application dependency warning incorrectly displayed when you configured
negate-source yes
on a security rule to deny an application.
PAN-108012
Fixed an issue on Panorama M-Series and virtual appliances where you could not add and generate a certificate as expected.
PAN-106434
Fixed an issue where a process (
keymgr
) stopped responding due to missed heartbeats, which caused IPSec tunnels to stop responding.
PAN-102195
Fixed an issue where the firewall did not detect all threat sessions while the App and Threat content installation was processed.
PAN-100977
(
VM-Series NSX edition firewalls only
) Fixed an issue where the existing logs for dynamic address updates had insufficient information to debug the root cause of an issue and where the dynamic address update logs were larger than expected, which caused the file to roll over every five minutes and did not provide a sufficient log history to debug issues.

Recommended For You