PAN-OS 9.0.7 Addressed Issues

PAN-OS® 9.0.7 addressed issues.
Issue ID
Description
WF500-5185
(
WF-500 Series only
) Fixed an issue where high disk use was observed due to an inadequate rotation of log files.
PAN-140090
Fixed an issue where HA links were down in VLAN access mode for KVM. This fix is only applicable for KVM deployments that are configured in VLAN access mode with SR-IOV.
PAN-137458
Fixed an issue where system logs with new event IDs caused a memory leak in a process (
mgmtsrvr
).
PAN-136698
Fixed an issue where a process (
all_pktproc
) stopped responding and the dataplane restarted when the firewall processed a malformed GPRS tunneling protocol (GTP) packet.
PAN-136696
Fixed an issue where the dataplane restarted due to excessive logs from the
pan_comm
process.
PAN-135703
(
PA-7000 Series firewalls only
) Fixed an issue where the switch ports connected to Quad Small Form-factor Pluggable (QSFP+) interfaces were up while Network Processing Cards (NPCs) were still rebooting.
PAN-135260
(
PA-7000 Series firewalls running PAN-OS® 8.1.12 only
) Fixed an intermittent issue where the dataplane process (
all_pktproc_X
) on a Network Processing Card (NPC) restarted when processing IPSec tunnel traffic.
PAN-135103
A fix was made to address a format string vulnerability on PA-7000 Series firewalls with a Log Forwarding Card (LFC) (CVE-2020-1992).
PAN-135089
Fixed an issue where the CPU for a process (
ikemgr
) spiked when third-party VPN clients connected to the GlobalProtect gateway with more than three DNS servers configured.
PAN-134678
(
PA-5200 Series firewalls only
) Fixed an issue where the Quad Small Form-factor Pluggable (QSFP) 28 ports 21 and 22 did not respond when plugged in with a Finisar 100G AOC cable.
PAN-134370
Fixed an issue where a process (
mp-relay
) restarted due to missing routes or next hops.
PAN-134244
Fixed an issue where connections proxied by the firewall (such as SSL Decryption, GlobalProtect portal and gateway connections, and SIP over TCP) failed due to insufficient buffer allocation. Some connections failed with the following error message:
proxy decrypt failure
.
PAN-133582
Fixed an issue in the firewalls where some Dynamic Address Groups pushed from Panorama were missing member IP addresses.
PAN-133440
Fixed an issue where fragmented traffic caused high dataplane use and firewall performance issues.
PAN-133378
Fixed an issue in Panorama where a process (
configd
) restarted while doing a commit using a RADIUS super admin role.
PAN-133048
(
PA-5200 and PA-7000 Series firewalls only
) Fixed an issue where firewalls processed traffic asymmetrically when using Internet Protocol (IP) classifiers on virtual wire (vwire) subinterfaces.
PAN-133042
(
PA-5200 and PA-7000 Series firewalls only
) Fixed an issue where firewalls dropped certain GPRS tunneling protocol (GTP) traffic even when
gtp nodrop
was enabled.
PAN-133040
Fixed an issue on a WF-500 appliance where a VM-Series firewall controller stopped responding, which caused the appliance to stop file analysis.
PAN-131993
Fixed an issue where a process (
reportd
) would crash while running a log query.
PAN-131907
Fixed an issue where GPRS tunneling protocol (GTP) version 2 handling was unable to handle fully qualified tunnel endpoint IDs (FTEID) received in reverse order, which resulted in GTP-C and GTP-U flows with incorrect IP addresses and tunnel endpoint IDs (TEID). This caused a GTP stateful inspection failure for subsequent packets on the respective flows.
PAN-131486
Fixed an issue where autocommits failed due to invalid access routes after an upgrade.
PAN-131193
Fixed an issue where firewalls dropped generic routing encapsulation (GRE) packets with the following error message:
Packet dropped, prepend failure
.
PAN-130573
Fixed an issue where the software pool for Regex results was depleted and caused connection failures.
PAN-130447
Fixed an issue where the firewall dropped offloaded traffic every time there was an explicit commit (
Commit
on the firewall locally or
Commit All Changes
in Panorama) or an implicit commit (such as an Antivirus update, Dynamic Update, or WildFire® update) on the firewall.
PAN-130361
A fix was made to address an external control of filename vulnerability in the SD-WAN component of Palo Alto Networks Panorama (CVE-2020-2009).
PAN-130345
Fixed an issue where the Panorama VM rebooted while filtering for configuration logs when the query value was not one of the predefined string results.
PAN-130290
Fixed an issue in the web interface where traffic logs did not display the destination zone (
Monitor > Logs > Traffic > To Zone
) for multicast sessions.
PAN-130262
Fixed an issue where firewalls dropped HTTP 200 OK messages during the offload of traffic for App-ID™ inspection.
PAN-130229
Fixed an issue on Panorama appliances where you could not change maximum transmission unit (MTU) values from the web interface; attempting to do so caused the appliance to display the following error message:
Malformed Request
.
PAN-129518
Fixed an issue where the firewall restarted due to an out-of-memory (OOM) condition caused by a leak in a process (
ikemgr
).
PAN-129490
Fixed an issue where CRL/OCSP verifications failed due to requests routing through the management interface even when service route was configured.
PAN-128908
If a user password was changed but no commit was performed afterward, the new password did not persist after a reboot. Instead, the user could still use the old password to log in, and the calculation of expiry days was incorrect based on the password change timestamp in the database.
PAN-128717
Fixed an issue in Panorama where, after switching context to a managed device, the session idle timeout was not updated, and the web session timed out even while the administrator was actively working in the interface.
PAN-127616
Fixed an issue where you could not push
FQDN Minimum Refresh Time
from Panorama to managed firewalls.
PAN-127438
Fixed an issue where GlobalProtect portal configuration selection based on certificate template OID failed.
PAN-127219
Fixed an issue where you could not select existing certificates when creating an authentication profile by using the Security Assertion Markup Language (SAML) method on the template stack.
PAN-127118
A fix was made to address an OS command line injection vulnerability in the PAN-OS management server where authenticated users were able to inject arbitrary shell commands with root privileges (CVE-2020-2014).
PAN-127087
Fixed an issue where a push operation (
Commit All Changes
) from Panorama failed on passive firewalls when pushing a large number of new Security policy rules to both firewalls in a high availability (HA) pair.
PAN-126944
Fixed an issue where the Panorama Template did not allow for
Ethernet Interface Link Speed
configurations greater than 1,000Mpbs.
PAN-126817
Fixed an issue where Security Assertion Markup Language (SAML) response validation failed with a certificate mismatch error even if the firewall had the same certificate on IdP.
PAN-126775
(
PA-800 and PA-220 Series only
) Fixed an issue where NTP sync failures occurred when using NTP servers configured with IPv6.
PAN-126573
Fixed an issue on Panorama where, after overriding a Layer 3
Aggregate Group
subinterface, all subinterfaces in the stack template disappeared.
PAN-126412
Fixed an issue where hardware security model (HSM) authentication from the web interface failed if the password contained an ampersand (&).
PAN-126362
A fix was made to address a command injection vulnerability in the PAN-OS management interface where an authenticated administrator was able to execute arbitrary OS commands with root privileges (CVE-2020-2010).
PAN-126278
Fixed an issue where a burst of VLAN-tagged packets in a congested system caused an overflow and locked up the firewall. With this fix, the threshold is increased.
PAN-126202
Fixed an issue where a process (
routed
) stopped responding when users accessed the web interface to view the OSPF interface data (
Network > Virtual Routers > More Runtime Stats > OSPF > Interface
) if OSPF MD5 was configured in the OSPF Auth profile.
PAN-126017
Fixed an issue where the
set application dump on rule
CLI command did not accept rule names with more than than 32 characters despite a stated limit of 63 characters.
PAN-126014
Fixed an issue for GlobalProtect gateways where the
Login At
and
Logout At
time fields in the
Previous User
PDF/CSV report for
User Information
used the Epoch standard for displaying time.
PAN-125889
(
PA-7000 Series firewalls only
) Fixed an issue where auto-tagging in log forwarding didn't work.
PAN-125804
A fix was made to address an issue where an OS command injection vulnerability in the PAN-OS management server allowed authenticated administrators to execute arbitrary OS commands with root privileges when uploading a new certificate in FIPS-CC mode (CVE-2020-2028).
PAN-125546
Fixed an issue where a process failed to restart even when the system logs displayed the following message:
virtual memory exceeded, restarting
.
PAN-125527
Fixed an issue where a multilayer ZIP file inspection caused software buffer corruption and the
all_pktproc
process to restart.
PAN-125306
Fixed an issue where a Transmission Control Protocol (TCP) connection reuse was incorrectly handled by an HA active/active cluster with asymmetric flows.
PAN-125194
Fixed an issue where system startup failed when the collector group was configured with an incorrect serial number of invalid length.
PAN-125032
Fixed an issue where, when
Minimum Password Complexity
was
Enabled
for all local administrators, the setting was also applied to plugin users. This caused API calls from plugin users to fail (
HTTP Error code 502
) because the password change was not made for the users which caused authentication to fail.
PAN-124857
Fixed an issue where a Microsoft Access Database (MDB) file stopped and a process (
mgmtsrvr
) stopped responding at the
epoll_wait ()
system call after the Panorama Virtual Appliance was stopped and started from Azure.
PAN-124802
Fixed an issue where LACP connectivity issues were observed due to high CPU utilization when multiple dataplanes were used.
PAN-124628
Fixed an issue where REST API queries were unable to pull shared region objects on Panorama.
PAN-124495
Fixed an issue on Panorama where the task manager showed locally executed jobs but did not show tasks or jobs pushed to managed firewalls.
PAN-124087
Fixed an issue where GPRS tunneling protocol (GTP) v2 protocol handling failed to handle the secondary Modify Bearer Request/Response in the GTP-C session.
PAN-123858
Fixed an issue on firewalls where a process (
userid
) restarted while processing incorrect IP address-to-username mappings that contained blank usernames from User-ID agents.
PAN-123830
Fixed an issue where the GlobalProtect™ portal used an outdated
getbootstrap
version.
PAN-123736
Fixed an issue where a Create Session Request message looped internally, which caused continuous packet inspection that consumed firewall resources.
PAN-123724
Fixed an issue in Panorama where shared address objects were not configurable as a destination in a static route configuration.
PAN-123391
A fix was made to address a predictable temporary file vulnerability in PAN-OS (CVE-2020-1994).
PAN-123295
Fixed an issue where the dataplane restarted due to a race condition when a configuration push and a Netflow update occurred simultaneously.
PAN-123135
Fixed an issue where user group membership lookup failed if the username source (for example, Security Assertion Markup Language identity provider (SAML IdP)) did not provide the user domain information. The issue occurred even if you configured the firewall to
Allow matching usernames without domains
(
Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup
).
PAN-122909
Fixed an issue where enabling
SSL Forward Proxy
using the hardware security module (HSM) led to intermittent failures when loading random secure websites and displayed the following message:
ERR_CERT_INVALID
. This issue was most closely associated with servers presenting ECDSA certificates.
PAN-122872
Fixed an issue where the Aggregate Ethernet (AE) subinterface showed a different status from the AE parent interface.
PAN-122147
Fixed an issue where the firewall dropped IPv6 Bidirectional Forwarding Detection (BFD) packets due to a race condition with the Neighbor Discovery Protocol (NDP).
PAN-121822
Fixed an issue with certificate authentication where only the topmost certificate was used to validate the client certificate.
PAN-121654
(
PA-3000 Series firewalls only
) Fixed an issue where decrypting HTTP/2 traffic caused performance issues due to low memory conditions.
PAN-121626
(
PA-3200 Series firewalls only
) Fixed an intermittent issue where firewalls dropped packets, which caused issues such as traffic latency, slow file transfers, reduced throughput, internal path monitoring failures, and application failures.
PAN-121598
Fixed an issue where the PAN-OS XML API packet capture (pcap) export failed with the following error message:
Missing value for parameter device_name
. Now,
device_name
and
sessionid
are no longer required parameters.
PAN-121596
Fixed an issue where the OSPF protocol didn't choose the correct loopback address for the forwarding address in the Not-So-Stubby Area (NSSA).
PAN-121483
Fixed an issue where Data Filtering profiles did not generate a packet capture (pcap) for Server Message Block (SMB) when action was set to Alert.
PAN-121395
Fixed an issue where the bidirectional static NAT policy rule hit count did not increase even when the policy was used.
PAN-121371
Fixed an issue where autocommit stopped at 99% if the firewall had an invalid customer ID.
PAN-121319
A fix was made to address a stack-based buffer overflow vulnerability in the management server component of PAN-OS (CVE-2020-1990).
PAN-121258
Fixed an issue where some SSLv3 session traffic logs showed an Allow action even when the security rule policy had a Deny action when
url-proxy
was enabled.
PAN-120726
Fixed an issue where the firewall incorrectly populated the username after the user was served an Anti-Phishing Continue page due to credential phishing detection.
PAN-120640
Fixed an issue where
show routing bfd
related commands triggered a memory leak in a process (
routed
).
PAN-120350
Fixed an issue where an Address Resolution Protocol (ARP) broadcast storm overloaded the Log Processing Card (LPC) and caused the device to reboot.
PAN-119810
A fix was made to address the improper restriction of the XML external entity (XXE) vulnerability in the Palo Alto Networks Panorama management server (CVE-2020-2012).
PAN-119625
Fixed an issue where configuring GlobalProtect certificate enrollment using Simple Certificate Enrollment Protocol (SCEP) with a dynamic SCEP challenge caused the firewall to initiate a TLS 1.0 based connection for challenge authentication.
PAN-119442
Fixed an issue where Panorama did not display the drop-down for part of a custom report after using
Pick up Later
(
Monitor > Manage Custom Reports
).
PAN-119173
(
PA-5000 and PA-3000 Series firewalls only
) Fixed an issue where the passive device in a high availability (HA) pair started processing traffic, which resulted in a packet buffer leak.
PAN-118226
A fix was made to address an improper input validation vulnerability in the configuration daemon of Palo Alto Networks Panorama (CVE-2020-2011).
PAN-117480
A fix was made to upgrade Nginx software included with PAN-OS (PAN-SA-2020-0006 / CVE-2016-4450 and CVE-2013-0337).
PAN-117108
Fixed an issue where user mappings populated by the XML API were lost after a reboot.
PAN-117043
Fixed an issue where using special characters in the tag names of the Security policy rules returned the following error message when committing or pushing a configuration:
group-tag is invalid
.
PAN-116842
Fixed an issue where, after enabling a Cortex Data Lake license, the management plane memory utilization would increase unexpectedly when some connections between the firewall and Customer Support Portal server were blocked, leading to multiple process restarts due to an out-of-memory (OOM) condition.
PAN-116231
Fixed an issue where
invalid packet header content
drop counters were seen in global counters when packets from the network or HA3 were hitting a stale flow. The following flow state verify error was seen:
flow_fpga_rcv_key_err - Packets dropped
.
PAN-116061
Fixed an issue where traffic traversing through an IPSec tunnel used did not use the default maximum interface bandwidth, which caused the traffic to traverse through the IPSec tunnel with latency.
PAN-116002
Fixed an issue where an incorrect optimization could cause IP address-to-user mapping to not update within 60 seconds.
PAN-115562
Fixed an issue where superuser CLI permissions for role-based administrators did not match superuser privileges.
PAN-115093
Fixed an issue where the firewall generated excessive logs for content decoder (CTD) errors.
PAN-114648
(
PA-3200 Series firewalls only
) Fixed an issue where the HA1 hearbeat backup connection flapped due to ping failures caused by unavailable buffer space when
Heartbeat Backup
was configured (
Device > High Availability > Election Settings
).
PAN-111636
A fix was made to address OpenSSH issues (PAN-SA-2020-0002 / CVE-2018-20685, CVE-2019-6109, and CVE-2019-6111).
PAN-102682
A fix was made to address an OS command injection vulnerability in the management component of PAN-OS where an authenticated user was able to potentially execute arbitrary commands with root privileges (CVE-2020-2007).
PAN-100734
A fix was made to address a buffer flow vulnerability in the PAN-OS management interface where authenticated users were able to crash system processes or execute arbitrary code with root privileges (CVE-2020-2015).
PAN-100415
A fix was made to address an external control of filename vulnerability in the command processing of PAN-OS (CVE-2020-2003).
PAN-74442
Fixed an issue where, after enabling debugging on the dataplane, the debug logs contained information about unrelated traffic.

Recommended For You