End-of-Life (EoL)

PAN-OS 9.0.8 Addressed Issues

PAN-OS® 9.0.8 addressed issues.
Issue ID
Fixed an issue where a process (masterd) did not restart another process (logrcvr) on the Log Forwarding Card (LFC) after the process (logrcvr) crashed.
Fixed an issue where performing private data resets during custom Amazon Machine Image (AMI) creation removed CloudWatch directories and caused the CloudWatch plugin to fail.
Added additional debugging to periodically collect the
debug dataplane internal pdt bcm counters graphical
CLI command's output in the Tech Support File (TSF).
PA-7050 firewalls running on PA-7000 100G NPCs only
) Fixed an issue where the PA-7000 100G NPC Native Implemented Function (NIF) initialization took longer than expected, which caused internal path monitoring failure and sent the firewall into a non-functional state while rebooting.
Fixed an issue where after upgrading the passive firewall, the outer UDP sessions synced from the active firewall did not retain the rule information and after failover, GPRS tunneling protocol (GTP) inspection did not work.
Fixed an issue where a memory leak associated with a process (devsrvr) caused an out-of-memory (OOM) condition on the firewall.
Fixed an issue where an FQDN update that resolved to the same IP address of another FQDN across different policies caused the other FQDN to be deleted due to missing FQDN aggregation.
Fixed an issue where fragmented packets leaked, which caused the depletion of Work Query Entry (WQE) pools.
Fixed an issue where a process (all_pktproc) restarted while processing packets with and destination protocol 251 that internally mapped to GTP-C traffic, which caused the dataplane to restart.
Fixed an issue where dataplane interfaces remained down after active firewall bootup or a high availability (HA) failover.
Fixed an issue where connections to the web interface were abruptly interrupted due to a double free condition (gPanUiPhpGlobal_secure_config_reset), which led to unexpected process restarts.
Fixed an issue where DNS security incorrectly set bits to zero on compressed DNS packets, which caused DNS malformation.
Fixed an issue where the passive firewall in an active/passive HA configuration deleted BGP-learned routes synchronized from the active firewall if the BGP configuration included the redistribution of the learned routes.
Fixed a rare issue on the firewall where a process (flow_mgmt) restarted due to an invalid packet received through the GlobalProtect agent or clientless VPN.
Fixed an issue with Security Assertion Markup Language (SAML) authentication where the firewall used old
values, which resulted in failed authentication.
Fixed an issue where improper parsing of the URL database caused high device-server CPU usage.
Fixed an intermittent issue where logs were missing with
debug messages due to merging of the index.
Fixed an issue where packet buffer use was at 99% and tunnel monitoring failed, which caused tunnel flaps and LDAP authentication failures.
Fixed an issue where the certificate was not automatically pushed to the firewall until you manually fetched the certificate from the firewall.
Fixed an issue with a memory corruption error that caused a process (all_pktproc) to restart.
Fixed an issue where commit failed on the firewall after disabling
Pre-Defined Reports
from Panorama.
Fixed an issue where packet descriptor (on-chip) usage reached 100% even though buffers, throughput, and session counts were not elevated.
Fixed an issue where export failed for a large running-config.xml file using the XML API.
Fixed a rare issue on the firewalls where a process (pan_task) restarted due to NULL pointer exception.
Fixed an issue where the response for the XML API call for the
show object registered-ip all
operational CLI command included extra appended content.
Fixed an issue on Panorama where processes (vld) ran on high CPU when the incoming system log rate was 0.
Fixed an issue where SNMPv3 monitoring of the firewall failed from the Zabbix server after a firewall reboot or SNMP daemon restart on the firewall.
Fixed an issue with a memory leak in a process (configd) where virtual memory exceeded the limit, which caused the process to restart.
Fixed an issue where the firewall intermittently dropped DNS A or AAAA queries received over IPSec tunnels due to a session installation failure.
Fixed an issue where a process (sysd) restarted due to missing heartbeats.
Fixed an issue where role-based administrators were unable to import certificate private keys onto firewalls.
Fixed an issue in Panorama where logs couldn't be viewed when an additional log collector was configured in the existing log collector group.
Fixed an issue on Panorama where a commit failed when bootstrapping a firewall to a configuration with a serial number of "unknown." The commit failed with the following error message:
mgt-config -> devices -> unknown unknown is invalid
Fixed an issue where a role-based administrator with CLI access was not able to successfully execute the
CLI command to commit only changes made by themselves.
Fixed an issue where packets tagged with IP protocol 252 were incorrectly treated as GPRS tunneling protocol (GTP) traffic, which caused the packet processor to terminate.
PA-5200 Series and PA-7000 Series firewalls only
) Fixed an issue where firewalls experienced high packet descriptor (on-chip) usage during uploads to the WildFire Cloud or WF-500 appliance.
Fixed an issue where a new GPRS tunneling protocol version 2 control plane (GTPv2-C) session reused GTP-C tunnel parameters within two seconds after deleting the old GTP-C session, which caused a session conflict on the firewall.
Fixed an issue where a race condition caused the FIB entry list to form a circle, which in turn caused a process (mprelay) to infinitely loop.
A fix was made to address an issue where the GlobalProtect Portal feature in PAN-OS did not set a new session identifier after a successful user login (CVE-2020-1993).
PA-3200 Series firewalls only
) Fixed an issue where configuring 1G small form-factor pluggable (SFP) ports on a firewall with forced speed mode (of 1G) enabled made the link unusable when forced speed mode (of 1G) was also enabled on the peer firewall.
PA-7000b Series firewalls with LFC cards only
) Fixed an issue where the system logs would continuously report a failure to connect to the proxy for WildFire even when the connectivity was working properly.
Fixed an issue in an HA configuration where the dataplane restarted due to internal packet path monitoring failure on the passive firewall.
Fixed an issue in Panorama where the
show system search-engine-quota
CLI command, the
show log-collector serial-number <log-collector_SN>
CLI command, and
Panorama > Managed Collectors > Statistics
) showed incorrect log retention data.
Fixed an issue where the connection between the firewall and Cortex Data Lake flapped if connections decreased.
Fixed a rare issue where a URL update caused the dataplane to restart.

Recommended For You