(

WF-500 Series only

) Fixed an issue where high disk use was observed due to an inadequate rotation of log files.

Fixed an issue where HA links were down in VLAN access mode for KVM. This fix is only applicable for KVM deployments that are configured in VLAN access mode with SR-IOV.

Fixed an issue where system logs with new event IDs caused a memory leak in a process (mgmtsrvr).

Fixed an issue where a process (all_pktproc) stopped responding and the dataplane restarted when the firewall processed a malformed GPRS tunneling protocol (GTP) packet.

Fixed an issue where the dataplane restarted due to excessive logs from the pan_comm process.

(

PA-7000 Series firewalls only

) Fixed an issue where the switch ports connected to Quad Small Form-factor Pluggable (QSFP+) interfaces were up while Network Processing Cards (NPCs) were still rebooting.

(

PA-7000 Series firewalls running PAN-OS® 8.1.12 only

) Fixed an intermittent issue where the dataplane process (all_pktproc_X) on a Network Processing Card (NPC) restarted when processing IPSec tunnel traffic.

A fix was made to address a format string vulnerability on PA-7000 Series firewalls with a Log Forwarding Card (LFC) (CVE-2020-1992).

Fixed an issue where the CPU for a process (ikemgr) spiked when third-party VPN clients connected to the GlobalProtect gateway with more than three DNS servers configured.

(

PA-5200 Series firewalls only

) Fixed an issue where the Quad Small Form-factor Pluggable (QSFP) 28 ports 21 and 22 did not respond when plugged in with a Finisar 100G AOC cable.

Fixed an issue where a process (mp-relay) restarted due to missing routes or next hops.

Fixed an issue where connections proxied by the firewall (such as SSL Decryption, GlobalProtect portal and gateway connections, and SIP over TCP) failed due to insufficient buffer allocation. Some connections failed with the following error message:

proxy decrypt failure

.

Fixed an issue in the firewalls where some Dynamic Address Groups pushed from Panorama were missing member IP addresses.

Fixed an issue where fragmented traffic caused high dataplane use and firewall performance issues.

Fixed an issue in Panorama where a process (configd) restarted while doing a commit using a RADIUS super admin role.

(

PA-5200 and PA-7000 Series firewalls only

) Fixed an issue where firewalls processed traffic asymmetrically when using Internet Protocol (IP) classifiers on virtual wire (vwire) subinterfaces.

(

PA-5200 and PA-7000 Series firewalls only

) Fixed an issue where firewalls dropped certain GPRS tunneling protocol (GTP) traffic even when

gtp nodrop

was enabled.

Fixed an issue on a WF-500 appliance where a VM-Series firewall controller stopped responding, which caused the appliance to stop file analysis.

Fixed an issue where a process (reportd) would crash while running a log query.

Fixed an issue where GPRS tunneling protocol (GTP) version 2 handling was unable to handle fully qualified tunnel endpoint IDs (FTEID) received in reverse order, which resulted in GTP-C and GTP-U flows with incorrect IP addresses and tunnel endpoint IDs (TEID). This caused a GTP stateful inspection failure for subsequent packets on the respective flows.

Fixed an issue where autocommits failed due to invalid access routes after an upgrade.

Fixed an issue where firewalls dropped generic routing encapsulation (GRE) packets with the following error message:

Packet dropped, prepend failure

.

Fixed an issue where the software pool for Regex results was depleted and caused connection failures.

Fixed an issue where the firewall dropped offloaded traffic every time there was an explicit commit (

Commit

on the firewall locally or

Commit All Changes

in Panorama) or an implicit commit (such as an Antivirus update, Dynamic Update, or WildFire® update) on the firewall.

A fix was made to address an external control of filename vulnerability in the SD-WAN component of Palo Alto Networks Panorama (CVE-2020-2009).

Fixed an issue where the Panorama VM rebooted while filtering for configuration logs when the query value was not one of the predefined string results.

Fixed an issue in the web interface where traffic logs did not display the destination zone (

Monitor > Logs > Traffic > To Zone

) for multicast sessions.

Fixed an issue where firewalls dropped HTTP 200 OK messages during the offload of traffic for App-ID™ inspection.

Fixed an issue on Panorama appliances where you could not change maximum transmission unit (MTU) values from the web interface; attempting to do so caused the appliance to display the following error message:

Malformed Request

.

Fixed an issue where the firewall restarted due to an out-of-memory (OOM) condition caused by a leak in a process (ikemgr).

Fixed an issue where CRL/OCSP verifications failed due to requests routing through the management interface even when service route was configured.

If a user password was changed but no commit was performed afterward, the new password did not persist after a reboot. Instead, the user could still use the old password to log in, and the calculation of expiry days was incorrect based on the password change timestamp in the database.

Fixed an issue in Panorama where, after switching context to a managed device, the session idle timeout was not updated, and the web session timed out even while the administrator was actively working in the interface.

Fixed an issue where you could not push

FQDN Minimum Refresh Time

from Panorama to managed firewalls.

Fixed an issue where GlobalProtect portal configuration selection based on certificate template OID failed.

Fixed an issue where you could not select existing certificates when creating an authentication profile by using the Security Assertion Markup Language (SAML) method on the template stack.

A fix was made to address an OS command line injection vulnerability in the PAN-OS management server where authenticated users were able to inject arbitrary shell commands with root privileges (CVE-2020-2014).

Fixed an issue where a push operation (

Commit All Changes

) from Panorama failed on passive firewalls when pushing a large number of new Security policy rules to both firewalls in a high availability (HA) pair.

Fixed an issue where the Panorama Template did not allow for

Ethernet Interface Link Speed

configurations greater than 1,000Mpbs.

Fixed an issue where Security Assertion Markup Language (SAML) response validation failed with a certificate mismatch error even if the firewall had the same certificate on IdP.

(

PA-800 and PA-220 Series only

) Fixed an issue where NTP sync failures occurred when using NTP servers configured with IPv6.

Fixed an issue on Panorama where, after overriding a Layer 3

Aggregate Group

subinterface, all subinterfaces in the stack template disappeared.

Fixed an issue where hardware security model (HSM) authentication from the web interface failed if the password contained an ampersand (&).

A fix was made to address a command injection vulnerability in the PAN-OS management interface where an authenticated administrator was able to execute arbitrary OS commands with root privileges (CVE-2020-2010).

Fixed an issue where a burst of VLAN-tagged packets in a congested system caused an overflow and locked up the firewall. With this fix, the threshold is increased.

Fixed an issue where a process (routed) stopped responding when users accessed the web interface to view the OSPF interface data (

Network > Virtual Routers > More Runtime Stats > OSPF > Interface

) if OSPF MD5 was configured in the OSPF Auth profile.

Fixed an issue where the

set application dump on rule

CLI command did not accept rule names with more than than 32 characters despite a stated limit of 63 characters.

Fixed an issue for GlobalProtect gateways where the

Login At

and

Logout At

time fields in the

Previous User

PDF/CSV report for

User Information

used the Epoch standard for displaying time.

(

PA-7000 Series firewalls only

) Fixed an issue where auto-tagging in log forwarding didn't work.

A fix was made to address an issue where an OS command injection vulnerability in the PAN-OS management server allowed authenticated administrators to execute arbitrary OS commands with root privileges when uploading a new certificate in FIPS-CC mode (CVE-2020-2028).

Fixed an issue where a process failed to restart even when the system logs displayed the following message:

virtual memory exceeded, restarting

.

Fixed an issue where a multilayer ZIP file inspection caused software buffer corruption and the all_pktproc process to restart.

Fixed an issue where a Transmission Control Protocol (TCP) connection reuse was incorrectly handled by an HA active/active cluster with asymmetric flows.

Fixed an issue where system startup failed when the collector group was configured with an incorrect serial number of invalid length.

Fixed an issue where, when

Minimum Password Complexity

was

Enabled

for all local administrators, the setting was also applied to plugin users. This caused API calls from plugin users to fail (

HTTP Error code 502

) because the password change was not made for the users which caused authentication to fail.

Fixed an issue where a Microsoft Access Database (MDB) file stopped and a process (mgmtsrvr) stopped responding at the

epoll_wait ()

system call after the Panorama Virtual Appliance was stopped and started from Azure.

Fixed an issue where LACP connectivity issues were observed due to high CPU utilization when multiple dataplanes were used.

Fixed an issue where REST API queries were unable to pull shared region objects on Panorama.

Fixed an issue on Panorama where the task manager showed locally executed jobs but did not show tasks or jobs pushed to managed firewalls.

Fixed an issue where GPRS tunneling protocol (GTP) v2 protocol handling failed to handle the secondary Modify Bearer Request/Response in the GTP-C session.

Fixed an issue on firewalls where a process (userid) restarted while processing incorrect IP address-to-username mappings that contained blank usernames from User-ID agents.

Fixed an issue where the GlobalProtect™ portal used an outdated

getbootstrap

version.

Fixed an issue where a Create Session Request message looped internally, which caused continuous packet inspection that consumed firewall resources.

Fixed an issue in Panorama where shared address objects were not configurable as a destination in a static route configuration.

A fix was made to address a predictable temporary file vulnerability in PAN-OS (CVE-2020-1994).

Fixed an issue where the dataplane restarted due to a race condition when a configuration push and a Netflow update occurred simultaneously.

Fixed an issue where user group membership lookup failed if the username source (for example, Security Assertion Markup Language identity provider (SAML IdP)) did not provide the user domain information. The issue occurred even if you configured the firewall to

Allow matching usernames without domains

(

Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup

).

Fixed an issue where enabling

SSL Forward Proxy

using the hardware security module (HSM) led to intermittent failures when loading random secure websites and displayed the following message:

ERR_CERT_INVALID

. This issue was most closely associated with servers presenting ECDSA certificates.

Fixed an issue where the Aggregate Ethernet (AE) subinterface showed a different status from the AE parent interface.

Fixed an issue where the firewall dropped IPv6 Bidirectional Forwarding Detection (BFD) packets due to a race condition with the Neighbor Discovery Protocol (NDP).

Fixed an issue with certificate authentication where only the topmost certificate was used to validate the client certificate.

(

PA-3000 Series firewalls only

) Fixed an issue where decrypting HTTP/2 traffic caused performance issues due to low memory conditions.

(

PA-3200 Series firewalls only

) Fixed an intermittent issue where firewalls dropped packets, which caused issues such as traffic latency, slow file transfers, reduced throughput, internal path monitoring failures, and application failures.

Fixed an issue where the PAN-OS XML API packet capture (pcap) export failed with the following error message:

Missing value for parameter device_name

. Now,

device_name

and

sessionid

are no longer required parameters.

Fixed an issue where the OSPF protocol didn't choose the correct loopback address for the forwarding address in the Not-So-Stubby Area (NSSA).

Fixed an issue where Data Filtering profiles did not generate a packet capture (pcap) for Server Message Block (SMB) when action was set to Alert.

Fixed an issue where the bidirectional static NAT policy rule hit count did not increase even when the policy was used.

Fixed an issue where autocommit stopped at 99% if the firewall had an invalid customer ID.

A fix was made to address a stack-based buffer overflow vulnerability in the management server component of PAN-OS (CVE-2020-1990).

Fixed an issue where some SSLv3 session traffic logs showed an Allow action even when the security rule policy had a Deny action when

url-proxy

was enabled.

Fixed an issue where the firewall incorrectly populated the username after the user was served an Anti-Phishing Continue page due to credential phishing detection.

Fixed an issue where

show routing bfd

related commands triggered a memory leak in a process (routed).

Fixed an issue where an Address Resolution Protocol (ARP) broadcast storm overloaded the Log Processing Card (LPC) and caused the device to reboot.

A fix was made to address the improper restriction of the XML external entity (XXE) vulnerability in the Palo Alto Networks Panorama management server (CVE-2020-2012).

Fixed an issue where configuring GlobalProtect certificate enrollment using Simple Certificate Enrollment Protocol (SCEP) with a dynamic SCEP challenge caused the firewall to initiate a TLS 1.0 based connection for challenge authentication.

Fixed an issue where Panorama did not display the drop-down for part of a custom report after using

Pick up Later

(

Monitor > Manage Custom Reports

).

(

PA-5000 and PA-3000 Series firewalls only

) Fixed an issue where the passive device in a high availability (HA) pair started processing traffic, which resulted in a packet buffer leak.

A fix was made to address an improper input validation vulnerability in the configuration daemon of Palo Alto Networks Panorama (CVE-2020-2011).

A fix was made to upgrade Nginx software included with PAN-OS (PAN-SA-2020-0006 / CVE-2016-4450 and CVE-2013-0337).

Fixed an issue where user mappings populated by the XML API were lost after a reboot.

Fixed an issue where using special characters in the tag names of the Security policy rules returned the following error message when committing or pushing a configuration:

group-tag is invalid

.

Fixed an issue where, after enabling a Cortex Data Lake license, the management plane memory utilization would increase unexpectedly when some connections between the firewall and Customer Support Portal server were blocked, leading to multiple process restarts due to an out-of-memory (OOM) condition.

Fixed an issue where

invalid packet header content

drop counters were seen in global counters when packets from the network or HA3 were hitting a stale flow. The following flow state verify error was seen:

flow_fpga_rcv_key_err - Packets dropped

.

Fixed an issue where traffic traversing through an IPSec tunnel used did not use the default maximum interface bandwidth, which caused the traffic to traverse through the IPSec tunnel with latency.

Fixed an issue where an incorrect optimization could cause IP address-to-user mapping to not update within 60 seconds.

Fixed an issue where superuser CLI permissions for role-based administrators did not match superuser privileges.

Fixed an issue where the firewall generated excessive logs for content decoder (CTD) errors.

(

PA-3200 Series firewalls only

) Fixed an issue where the HA1 hearbeat backup connection flapped due to ping failures caused by unavailable buffer space when

Heartbeat Backup

was configured (

Device > High Availability > Election Settings

).

A fix was made to address OpenSSH issues (PAN-SA-2020-0002 / CVE-2018-20685, CVE-2019-6109, and CVE-2019-6111).

A fix was made to address an OS command injection vulnerability in the management component of PAN-OS where an authenticated user was able to potentially execute arbitrary commands with root privileges (CVE-2020-2007).

A fix was made to address a buffer flow vulnerability in the PAN-OS management interface where authenticated users were able to crash system processes or execute arbitrary code with root privileges (CVE-2020-2015).

A fix was made to address an external control of filename vulnerability in the command processing of PAN-OS (CVE-2020-2003).