PAN-OS 9.0.6 Addressed Issues
Focus
Focus

PAN-OS 9.0.6 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 9.0.6 Addressed Issues

PAN-OS® 9.0.6 addressed issues.
Issue ID
Description
WF500-5343
Fixed an issue on WF-500 that caused cloud queries to fail when the cloud verdict did not match the local verdict.
PAN-135141
Fixed an issue where the Log Processing Card (LPC) did not come up intermittently in a fully loaded PA-7000 Series.
PAN-134242
(PA-7000b Series firewalls with Log Forwarding Cards (LFC) only) A security fix was made to restrict improper communications to the LFC (CVE-2019-17440/PAN-SA-2019-0040).
PAN-133883
Fixed an issue where a race condition caused pan_task and pan_com to exit unexpectedly.
PAN-133491
Fixed an issue where Internet Protocol (IP) to user mappings were not synced from the HUB virtual system (vsys) to the non-hub vsys.
PAN-133448
Fixed an issue where the mprelay process could crash during commit if the devsrvr process was restarted before or during the commit.
PAN-133443
Fixed an issue where an XML API call incorrectly masked the response, which prevented role based administrators from running the response.
PAN-132501
Fixed an issue where after you switched the Context from Panorama™ to a firewall, the DESTINATION ZONE (Policies > Security > <policy-name> > Destination) incorrectly displayed none.
PAN-132104
Fixed an issue on Panorama M-Series and virtual appliances where the <show><object><registered-ip></registered-ip></object></show> XML API call did not retrieve more than 500 entries.
PAN-131939
Fixed an issue where DP crashed during file transfer due to one or more content updates being installed.
PAN-130640
Fixed an issue where the management plane CPU on the firewall was high due to index generation on summary logs.
PAN-130465
Fixed an issue where required fields were masked incorrectly in a XML API call, which hid the response.
PAN-130073
Fixed an issue where a large number (65,000) of GlobalProtect™ user connections caused a process (sslvpn) to stop responding after you upgraded from PAN-OS® 8.1.10 to PAN-OS 8.1.11.
PAN-130069
Fixed an issue where the firewall incorrectly interpreted an external dynamic list MineMeld instability error code as an empty external dynamic list.
PAN-129668
Fixed an issue on the firewalls where the dataplane restarted unexpectedly when processing HTTP/2 traffic if packet-diag debugs were enabled.
PAN-129658
Fixed an issue where GTP inspection stopped functioning after unrelated changes in policy and a commit followed by a high availability (HA) failover.
PAN-129441
Fixed an issue where the concurrent file limitation for WildFire® submissions didn't work when the firewall had many files waiting to be uploaded, which caused /opt/panlogs/wildfire/tmpfile to become full and destabilize the firewall (for example, the process crashed or system logs were not written).
PAN-129327
Fixed a rare timing window that caused an Internal packet path monitoring failure.
PAN-129127
Fixed an issue where log export from maintenance mode failed with the following error message: no ip address configured, can't export logs even though the management interface Internet Protocol (IP) address was configured.
PAN-128856
Fixed an issue where the disk usage calculation was getting corrupted and purging logs.
PAN-128269
(PA-5250, PA-5260, and PA-5280 firewalls with 100GB AOC cables only) Fixed an issue where after you upgraded the first peer in a high availability (HA) configuration to a PAN-OS 9.0 release, the High Speed Chassis Interconnect (HSCI) port did not come up due to an FEC mismatch until after you finished upgrading the second peer.
PAN-128248
A fix was made to address a vulnerability with a race condition due to an insecure creation of a file in a temporary directory in PAN-OS (CVE-2020-2016).
PAN-127649
Fixed an issue where a purge script stopped responding, which caused a process (logrcvr) to discard incoming logs.
PAN-127089
Fixed an intermittent issue where the default route did not redistribute to an OSPF Not-So-Stubby Area (NSSA).
PAN-126882
A security fix was made to address an OpenSSL vulnerability (CVE-2019-1547/CVE-2019-1563).
PAN-126627
Fixed an issue where a process (all_pktproc) stopped responding due to a NULL pointer exception while cleaning up SSL proxy sessions previously configured for GlobalProtect.
PAN-126283
Fixed an intermittent issue where after you configured Cache EDNS Responses (Network > DNS Proxy > <DNS Proxy-name> > Advanced) a process (dnsproxy) stopped responding.
PAN-126159
Fixed an issue where the firewall did not match the Security policy when you configured the match condition to a shared local group.
PAN-125996
Fixed an issue on Panorama M-Series and VM-Series where the configd process would crash.
PAN-125898
Fixed an issue where a process (openssl) caused higher than expected management CPU usage due to the incompletion of the Online Certificate Status Protocol (OCSP) during the logging service certificate validation.
PAN-125793
Fixed an issue where multiple No valid URL filtering license warning messages were generated during a commit due to an expired URL filtering license. With this fix, the warning messages are grouped into a single message per virtual system (vsys).
PAN-125594
Fixed an issue where the configd process on a Panorama appliance had a memory leak during commit operations.
PAN-125302
Fixed an issue where the real-time clock (RTC) battery voltage exceeded the maximum threshold and triggered alerts in the system log.
PAN-125157
Fixed an issue on the firewalls where the rasmgr process restarted unexpectedly when using third-party VPN clients to connect to GlobalProtect.
PAN-125122
A fix was made to address a cleartext transmission of sensitive information vulnerability in Palo Alto Networks PAN-OS and Panorama that disclosed an authenticated PAN-OS administrator's PAN-OS session cookie (CVE-2020-2013).
PAN-125018
Fixed an issue on Panorama M-Series and virtual appliances where after you configure the firewall with an API call commits took longer than expected.
PAN-125017
(PA-7000b Series firewalls only) Fixed an issue where logs were unexpectedly discarded.
PAN-124948
Fixed an issue where a null point (policy) dereference was causing a crash.
PAN-124882
Fixed an issue where traffic logs that contained incorrect Security policies were generated during an active commit process when the Security policies were being added or removed.
PAN-124858
Fixed an issue on PA-220, PA-820, and PA-850 firewalls where Custom Signatures caused the CTD memory depletion (OOM), which led to a dataplane crash.
PAN-124781
Fixed an issue in Panorama where the Policies > Security web interface flashes and the selected security rule did not stay selected when making a change to a rule that was part of device group that included more than 200 rules.
PAN-124593
A fix was made to address a missing XML validation vulnerability in the PAN-OS web interface (CVE-2020-1975).
PAN-124565
Fixed an issue where an out of memory condition caused commits to fail with the following error: Error unserializing profile objects failed to handle CONFIG_UPDATE_START.
PAN-124435
Fixed an issue where the firewall dropped pre-VLAN spanning tree (PVST+) packets from the virtual wire interface when you executed the set session rewrite-pvst-pvid yes CLI command.
PAN-124428
Fixed an issue where Address Resolution Protocol (ARP) randomly failed on one of the interfaces for a firewall deployed in the KVM/GCP/ESXi clouds.
PAN-123857
Fixed an issue where HTTP/2 traffic inspection caused a software buffer leak over time and affected decryption traffic.
PAN-123843
Fixed an issue for Cloud/VM platforms where the tunnels between the log collectors did not come up when a public IP was used for the log collectors in an environment with a Panorama management server and two or more log collectors.
PAN-123747
Fixed an issue where App-ID™ signatures failed to match when there were more than 12 partial App-ID matches within the same session.
PAN-123667
Fixed an issue where the snmpd process was crashing when polling for global counters.
PAN-123661
A fix was made to address an authentication bypass vulnerability in the Panorama context switching feature (CVE-2020-2018).
PAN-123322
(PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls running PAN-OS 9.0.5 only) Fixed an intermittent issue where a process (all_pktproc) stopped responding due to a Work Query Entry (WQE) corruption that was caused by duplicate child sessions.
PAN-123306
Fixed an issue where the Dashboard did not display the release dates for Application Version, Threat Version, and Antivirus Version.
PAN-123167
Fixed an issue where a process (mprelay) stopped responding.
PAN-122788
Fixed an issue where the firewall incorrectly logged target filenames when an antivirus signature was triggered over a Server Message Block (SMB) protocol.
PAN-122779
Fixed an issue where the firewall did not respond to TCP DNS requests when the firewall acted as a DNS proxy.
PAN-122778
Fixed an issue where the routing daemon restarted due to a deadlock on the path monitoring heartbeat processing, leading to a SIGABRT.
PAN-122565
Fixed an issue where a log collector with a dynamically assigned IP address could not establish communication between other log collectors.
PAN-122455
Fixed an issue where the DHCP server incorrectly processed bootp unicast flag requests.
PAN-122311
Fixed an issue where parent sessions were dropped when you installed duplicate predict session.
PAN-122181
(PA-3200 Series and PA-5200 Series firewalls only) Fixed an issue where the firewall did not capture inbound Encapsulating Security Payload (ESP) protocol 50 packets at the receive stage.
PAN-121917
(PA-800 Series and PA-220 firewalls only) Fixed an issue where the hrProcessorLoad.2 OID displayed incorrect values.
PAN-121827
Fixed an issue where allow lists and auth profiles in multi-vsys systems would not allow a user to be identified in user groups.Users would show as Not in allow list because the multi-vsys (vsys1) was shown as vsys0.
PAN-121609
(PA-7000 Series firewalls using PA-7000-20G-NPC cards only) Fixed an issue where the firewall restarted due to an internal path monitoring heartbeat failure during periods of more than expected traffic load.
PAN-121484
(PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls only) Fixed an issue where the dataplane sent positive acknowledgments to predict-status checks from FPP when the corresponding predict was deleted, which caused SIP and RTSP applications to perform less than the expected achievable performance.
PAN-121481
Fixed an issue where downloading the GlobalProtect app software on your GlobalProtect portal took longer than expected.
PAN-121472
Fixed an intermittent issue where the dataplane stopped responding when processing compressed traffic.
PAN-121374
Fixed an issue where Internet Protocol (IP) tags with timeouts generated alert messages.
PAN-121184
Fixed an issue where the varrcvr process crashed due to memory corruption issues.
PAN-121058
A fix was made to address a DOM-based cross site scripting vulnerability in the PAN-OS and Panorama management web interfaces (CVE-2020-2017).
PAN-121022
Fixed an issue involving unexpected behavior within the GlobalProtect app where the Active viewed Template does not populate when clicking the hyperlink to trigger a redirect to the Template area and list.
PAN-120986
Fixed an issue where a process (routed) stopped responding when you configured virtual interfaces.
PAN-120965
Fixed an issue where certificate revocation list (CRL) and Online Certificate Status Protocol (OCSP) checks did not respond as expected when you configured Block session if certificate status is unknown.
PAN-120909
Fixed an issue to improve the validation of certain field inputs in the web interface.
PAN-120900
Fixed an issue on a firewall in a high availability (HA) active/passive configuration where after you submitted a host information profile (HIP) report a duplicate User-ID™ log was generated on the passive firewall.
PAN-120893
Fixed an issue where the Security Parameter Index (SPI) size was incorrectly set in the IKE Phase 2 packet when you configured commit-bit on the neighboring device, which caused IKE negotiations to fail on the neighboring device.
PAN-120730
Fixed an issue where pushing a config bundle from Panorama M-Series to a firewall failed with the following error: log-card -> iptag unexpected here.
PAN-120701
Fixed an issue where URL filtering blocked web traffic by the security policy that did not have URL filtering enabled.
PAN-120665
(PA-800 Series) Fixed an issue where the deployment of the Master Key through the web interface failed.
PAN-120545
Fixed an issue on VM-Series firewalls where the ager ran faster than expected, which prematurely caused the master key to expire.
PAN-120420
Fixed an issue in Panorama where you could not see Certificate Profile in the drop-down when adding an HTTP Server Profile.
PAN-120397
A fix was made to address an external control of path and data vulnerability in the Palo Alto Networks Panorama XSLT processing logic (CVE-2020-2001).
PAN-120351
Fixed an issue where the firewall caused unnecessary fragmentation when traffic and tunnel were content inspected, which caused retransmission and slowed response time.
PAN-120300
Fixed an issue where you were unable to view DHCP leases from the web interface or through the show dhcp server lease interface all CLI command due to the request taking longer than expected, which resulted in a time out.
PAN-120157
Fixed an issue where temporary files created on a firewall during an API call execution were not properly cleaned up, leading to increased disk space usage.
PAN-120106
Fixed an issue where Panorama did not send correlation events and logs to the syslog server after you upgraded the firewall from PAN-OS 8.0.9 to PAN-OS 8.1.7.
PAN-120005
Fixed an issue where the firewall incorrectly forwarded incomplete and corrupted files through the Server Message Block (SMB) protocol to WildFire. This fix requires content release version 8219 or a later version.
PAN-119950
Fixed an issue on a firewall in a high availability (HA) active/passive configuration where a process (flow_ctrl) received and restarted due to a malformed ICMPv6 neighbor advertisement packet.
PAN-119922
Fixed an issue in Panorama where the show config diff command was not working correctly and produced unexpected output.
PAN-119822
Fixed an issue where you were not redirected to the application URL after authentication.
PAN-119820
Fixed an issue where the firewall incorrectly calculated the TCP segment size when performing forward proxy decryption.
PAN-119819
Fixed an issue where Discover (Device > User Identification > User Mapping > Server Monitoring) stopped responding after you configured a DNS proxy.
PAN-119818
Fixed an issue where corrupt logs caused buffered log forwarding to stop responding.
PAN-119801
Fixed an issue where the firewall web interface did not display the BGP MED attribute value in the BGP Rib-Out tab (Virtual Routers > More Runtime Stats).
PAN-119550
Fixed an issue on Panorama M-Series and virtual appliances where communication between two processes (mgmtsrvr and logd) stopped responding.
PAN-119545
Fixed an issue where updates (including WildFire, antivirus, and so on) were intermittently failing.
PAN-119452
An enhancement was made to improve subsequent loading times of device groups after the first load.
PAN-119349
Fixed an issue on Panorama M-Series and virtual appliances where custom reports from the User-ID log displayed the incorrect receive date.
PAN-119343
Fixed an issue where a daemon (dnsproxy) incorrectly handled TCP requests, which caused the daemon (dnsproxy) to stop responding.
PAN-119047
Fixed an issue where local user group names that contained upper case characters were not converted to lower case characters prior to encoding, which caused the firewall not to load user groups names with upper case characters.
PAN-119046
Fixed an issue where moving multiple rules in Panorama using the Move All rules in Group and Move rules in group to different rule base group actions caused the rules to move in a reversed order.
PAN-118991
Fixed an issue in Panorama where on a high availability (HA) pair working in legacy mode, the following error message displayed in the system log: Panorama has lost connection to its peer, no log will be forwarded.
PAN-118957
A fix was made to address an authentication bypass spoofing vulnerability in the authentication daemon and User-ID components of Palo Alto Networks PAN-OS (CVE-2020-2002).
PAN-118851
Fixed an issue where the BGP Conditional Advertisement suppress condition was not met, which caused the Conditional Adv (Network > Virtual Routers > <router-name> > BGP) not to apply the NEXT HOPS prefix range.
PAN-118777
Fixed an issue on a firewall in a high availability (HA) active/active configuration where larger than expected packets sizes were silently dropped when traversing through an HA3 link in an asymmetric network.
PAN-118436
(PA-5200 Series firewalls only) Fixed an issue where applications using the GlobalProtect Clientless VPN did not respond when the Clientless VPN used a VLAN interface.
PAN-118413
(PA-5200 Series firewalls only) Fixed an issue where the show system logd-quota CLI command did not display the Session log storage Quotas as expected.
PAN-118259
Fixed an issue where you were unable to generate WildFire analysis reports in the WildFire Submissions log when you configured Proxy Server (Device > Setup > Services > Global).
PAN-118249
Fixed an issue where traffic logs and URL Filtering logs did not display the URL for decrypted traffic.
PAN-118207
Fixed an issue where the Security Assertion Markup Language (SAML) for GlobalProtect did not respond as expected when you configured the IdP certificate as None on the SAML IdP server profile.
PAN-118108
Fixed an issue where an API call against a Panorama management server, which triggered the request analyze-shared-policy command, caused Panorama to reboot after you executed the command.
PAN-118091
Fixed an issue where application dependency warnings were displayed after a commit when the policy rules containing the dependent applications used different sources (one used user and the other used groups).
PAN-118090
Fixed an issue on Panorama M-Series and virtual appliances where User Activity Report (Monitor > PDF Reports) did not generate reports as expected.
PAN-118075
Fixed an issue where the BGP conditional advertisement did not respond as expected, which caused the prefix in the Advertise Filters (Network > Virtual Router > BGP > Conditional Adv) to be incorrectly advertised.
PAN-118050
Fixed an issue where some packets had incorrect timestamps in the transmit stage during packet capture.
PAN-117987
Fixed an issue where the firewall did not exclude video traffic from the GlobalProtect tunnel when you configured Exclude video traffic from the tunnel (Windows and macOS only) (Network > GlobalProtect > Gateways > <gateway-name> > Agent > Video Traffic).
PAN-117969
An enhancement was made to enable administrators to select signature and digest algorithms for outgoing Security Assertion Markup Language (SAML) messages through a CLI command.
PAN-117774
Fixed an Issue where the dataplane stopped responding due to an incorrect parsing of cookies for GlobalProtect Clientless VPN applications.
PAN-117736
Fixed an issue on a firewall in a high availability (HA) active/active configuration where virtual MAC addresses pushed from Panorama were overridden on the local firewall.
PAN-117561
Fixed an issue in Panorama where Packet Capture was enabled with extended-capture (Objects > Security Profiles > Anti-Spyware) for DNS signatures, but the setting was not pushed to firewalls running PAN-OS 8.1.
PAN-117479
A fix was made to address a vulnerability with the Nginx web server included with PAN-OS (CVE-2017-7529).
PAN-117463
Fixed an issue where the firewall did not release the default DHCP route when a new IP address was obtained on a DHCP configured interface.
PAN-117446
Fixed an issue where GlobalProtect authentication failed when you used the domain in the group mapping and a User Principle Name (UPN) format for authentication.
PAN-117276
Fixed an issue on a firewall in a high availability (HA) active/active configuration where the names of the virtual routers were pushed from the active-primary firewall to the active-secondary firewall when you sync the configuration, which caused schema verification to stop responding when you do a local commit on the active-secondary firewall.
PAN-117251
Fixed an issue where vsysadmins were unable to view the locks on all the virtual systems they were assigned to. To view the locks in CLI run the new show commit-locks vsys and show config-locks vsys CLI commands.
PAN-117167
Fixed an issue where a process (configd) exceeded the memory limit and stopped responding.
PAN-116889
Fixed an issue where you were unable to establish an SSH session through a CLI command using a Diffie-Hellman (DH) algorithm.
PAN-116841
Fixed an issue where commits failed when address objects were used in static route configurations.
PAN-116615
Fixed an issue where authentication failed for newly added groups in the authentication profile Allow List.
PAN-116383
Fixed an issue with Panorama on AWS where the configuration of the high availability (HA) pair became out of sync due to different plugin versions being detected even though the same versions were installed on both peers.
PAN-116355
(PA-5200 Series firewalls only) Fixed an issue on a firewall in a high availability (HA) active/passive configuration where an HA1 heartbeat backup connection flap occurred and displayed the following error message: ha_ping_send/No buffer space available.
PAN-116173
Fixed an intermittent issue on a firewall in a high availability (HA) active/passive configuration where traffic interruptions occurred until you triggered a manual failover.
PAN-116100
Fixed an issue where a process (mprelay) stopped responding and invoked an out-of-memory (OOM) killer condition and displayed the following error messages: tcam full and pan_plfm_fe_cp_arp_delete.
PAN-115875
Fixed an issue where a PA-7080b HA pair rebooted when large sized packet traffic impacted the front panel ports of the Log Forwarding Card (LFC).
PAN-115238
Fixed an issue where SSL renegotiation sessions incorrectly identified URL categories.
PAN-115018
Fixed an issue where the firewall was unable to access the CPU information and caused the CPU frequency to set to 0, which resulted in a divide by zero error and caused a process (devsrvr) to stop responding.
PAN-114966
Fixed an issue where trunk interfaces were not working on Hyper-V.
PAN-114784
Fixed an issue where a process (devsrvr) stopped responding after you pushed a configuration from Panorama to a firewall.
PAN-114438
Fixed an issue where the system log incorrectly reported intermittent certificate revocation list (CRL) fetches as successful even though the fetches were not successful.
PAN-114197
Fixed an issue where a configured certificate profile was not visible from the web interface in Network > Network Profiles > IKE Gateways > Add > General > Certificate Profile.
PAN-113144
Fixed an issue where BGP peers were not enabled when transitioning from Active/Passive to Active/Active or Active/Active to Active/Passive config on both IPv4 and IPv6 peer groups.
PAN-112145
Fixed an intermittent issue where a process (useridd) incorrectly reported successful Ops commands and did not download Dynamic Address Group updates, which prevented virtual machines from updating Dynamic Address Groups.
PAN-111650
Fixed an issue where a process (mgmtsrvr) stopped responding when another process (masterd) sent a signal interruption after you upgraded from a PAN-OS 9.0 release to a PAN-OS 9.1 release.
PAN-111333
An enhancement was made to increase the pattern match limit to recognize applications and threats accurately.
PAN-111135
Fixed an issue where Panorama displayed incorrect device monitoring values (Panorama > Managed Devices > Health) for the firewall.
PAN-109528
Fixed an issue where an old GPRS tunneling protocol (GTP) event was unexpectedly freed when an update message arrived, causing a crash.
PAN-109406
Fixed an issue where the firewall restarted when you unplugged the QSFP+ module from the High Speed Chassis Interconnect (HSCI) port.
PAN-108992
A fix was made to address an improper authorization vulnerability in PAN-OS (CVE-2020-1998).
PAN-107358
Fixed an issue where a firewall had a race condition in the error handling code in the write thread, causing memory corruption in the sslmgr session cache ring buffer.
PAN-105763
An enhancement was made to enable you to set the signing algorithm to sha-1 or sha-256 in the Security Assertion Markup Language (SAML) message on the firewall.
PAN-100946
Fixed an issue where VM-Series firewalls were unable to support the maximum number of tunnel interfaces due to less than expected memory allocation.
PAN-95651
(PA-3200 Series firewalls only) Fixed an issue where incomplete core dump files were generated during dataplane process crashes, making the crash analysis difficult.
PAN-71148
Fixed an issue on Panorama where the ACC tab would not show data for the period before the daylight saving time (DST) change.