PAN-OS 9.1.10 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 9.1.10 Addressed Issues
PAN-OS® 9.1.10 addressed issues.
Issue ID | Description |
---|---|
WF500-5568 | Fixed an issue where a firewall in FIPS
mode running PAN-OS 8.1.18 or a later version failed to connect
with a WildFire appliance in normal mode. |
WF500-5513 | Fixed an issue where cloud queries failed,
which generated system logs. The issue occurred because a hash was
not found in the cloud. |
PAN-169551 | Fixed an issue where custom URL categories
hit incorrect URL categories, which caused the firewall to miss
or deny the security policies for the configured custom URL. |
PAN-168298 | Fixed an issue where a firewall superuser
using an LDAP authentication profile that was pushed from Panorama
was unable to save the filter under Monitor > Logs. |
PAN-167306 | (VM-Series firewalls on Microsoft Azure
only) Fixed an issue where, when a second disk was added, /opt/panlogs was
mounted on an incorrect partition. |
PAN-167098 | Fixed an issue where a configd process
memory corruption occurred when Panorama was exposed to multiple
XML API calls on Dynamic Address Groups updates. |
PAN-166570 | Fixed an issue where authentication failure
messages were overwritten when a commit was in progress. |
PAN-166328 | (PA-7000 Series firewalls with NPCs
only) Fixed an issue where path monitoring failure occurred
while hot inserting a 100G NPC (network processing card) into the
firewall. |
PAN-166306 | Fixed an issue where commit jobs failed
when validating HIP objects and profiles. |
PAN-166296 | Fixed an issue where an unavailable certificate
revocation list (CRL) from the server side caused an infinite loop
on a process (sslmgr), which resulted in it not responding
for other tasks. |
PAN-166241 | A fix was made to address an improper restriction
of XML external identity (XXE) reference in the PAN-OS web interface
that enabled an authenticated administrator to read any arbitrary
file from the file system and send a specifically crafted request
to the firewall that caused the service to crash (CVE-2021-3055). |
PAN-166021 | Fixed an issue where log queries that included
a username did not return with any output. |
PAN-164922 | Fixed an issue on Panorama where a context
switch to a managed firewall running PAN-OS 8.1.0 to PAN-OS 8.1.19
failed. |
PAN-164846 | Fixed an issue where packet buffers were
depleted. |
PAN-164646 | Fixed an issue where tunnel monitoring in
the Large Scale VPN (LSVPN) displayed as down in both the CLI and
the web interface due to incorrect dataplane ownership. |
PAN-164571 | Fixed an issue where DHCP leases were not
properly synchronized between high availability peers after a device
or dhcpd process restart. With this fix, the DHCP lease
details display correctly on both the active and the passive device. |
PAN-164392 | Fixed an issue where an out-of-memory (OOM)
condition occurred due to a memory leak related to a process (logrcvr). |
PAN-164338 | Fixed an issue where, when using the CLI
or API, configurations for policy rule services or applications
that either used custom settings and default settings together,
or used multiple default settings together, successfully commit
instead of failing or displaying a warning. Note To
use this fix, you must delete previous application or service settings
in the configuration. |
PAN-164056 | Fixed a memory issue for LSVPNs with multiple
dataplane systems. |
PAN-163587 | Fixed an issue on Panorama where a user
with an admin role was able to set the Block IP List option
via the CLI but not the web interface. |
PAN-162663 | Fixed an intermittent issue on the firewall
where packets dropped in decrypted SSL/TLS sessions. |
PAN-162600 | Fixed an issue where, when the GlobalProtect
client sent UDP/4501 traffic that was destined for the GlobalProtect
gateway inside the GlobalProtect tunnel, the firewall still processed
the traffic, which caused routing loops. |
PAN-162594 | Fixed an issue where blank configuration
for tokens in a content-driven FreeDNS Afraid.org Dynamic API v1 DDNS
configuration were not enabled. |
PAN-161869 | Fixed an issue where a core dump occurred
on a process (flow_ctrl) after a commit if a policy-based
forwarding (PBF) rule referenced an interface that had a DHCP IP
address assignment. |
PAN-161544 | Fixed an issue where the Device Namefield
was missing when GlobalProtect logs were exported to CSV from the
Panorama management server. |
PAN-161112 | Fixed an issue where a process (useridd) repeatedly
exceeded the virtual memory limit, which caused the process to stop
responding. |
PAN-161025 | Fixed an issue in Panorama where an administrator
with the role of Panorama administrator did not have the option
to download or install GlobalProtect clients (Panorama
> Device Deployment > GlobalProtect). |
PAN-160997 | Fixed an issue where the metadata from the
firewall's authentication profile was unable to export. This issue
occurred when the authentication profile and the SAML Identity Provider
sever profile were created with VSYS in the Location and
pushed from Panorama template stack values. To utilize this fix,
you must upgrade both Panorama and the firewall. |
PAN-160870 | (ZTP-capable firewalls only) Fixed
an issue where the default Zero Touch Provisioning (ZTP) configuration
was still present on the firewall even when ZTP was disabled, which
caused commit failures. |
PAN-160540 | Fixed an issue where tunnel traffic was
dropped intermittently when a Quality of Service (QoS) Profile was
assigned but the profile had no limits defined. |
PAN-160247 | Fixed an issue where system logs incorrectly
displayed as Critical. |
PAN-160238 | Fixed an issue where intermittent VXLAN
packet drops occurred if the TCI was not configured for inspecting
VXLAN traffic. This issue occurred when traffic was migrated from
a firewall running a PAN-OS version earlier than PAN-OS 9.0 to a
firewall running PAN-OS 9.0 or later. |
PAN-159973 | Fixed an issue where a local commit in the
Panorama management server caused the status to get out of sync
on the managed WildFire appliance. |
PAN-159592 | Fixed an issue where a Japanese keyword
search displayed garbled characters during SAML authentication. |
PAN-159499 | Fixed an issue where you were unable to
select the configured QoS profile under the template stack. |
PAN-159295 | Fixed an issue where scheduled configuration
export files saved in the /tmp folder
in root were not periodically purged, which caused the root partition
to fill up. |
PAN-159224 | Fixed an memory leak issue related to a
process (mgmtsrvr), which was caused by a certificate
loading operation. |
PAN-159054 | Fixed an issue where you were unable to
add more than 500 DHCP relay agent objects in the firewall templates
from Panorama. |
PAN-158932 | Fixed an issue where an increase was observed
on spyware_state, which caused latency. |
PAN-158161 | Fixed an issue where the PBF monitor was
failing on the tunnel interface when QoS was enabled. |
PAN-158119 | (PA-7000 Series firewalls only)
Fixed an issue where TFTP traffic with a high packet rate was not
offloaded even after hitting an application override policy with
a custom application. |
PAN-158020 | Fixed an issue where HIP reports were not
visible on the web interface due to a domain override configuration. |
PAN-157964 | Fixed an issue where adding a container
application from the Apps Seen list did not
remove the child application from the list. |
PAN-157908 | Fixed an issue where false system alarms
for the IP tag log database exceeded the alarm threshold value. |
PAN-157903 | Fixed an issue where the To field
of an email was truncated in threat logs when the original email
exceeded 512 bytes. |
PAN-157632 | Fixed an intermittent issue where the firewall
dropped GPRS tunneling protocol (GTP-U) traffic with the message TEID=0x00000000. |
PAN-157570 | Fixed an issue where device deployment from
Panorama to the firewalls failed with the error message Failed to get DLSRVR client key.
This issue occurred only on firewalls where the request system-private-data-reset CLI
command had been issued in the past. |
PAN-157479 | Fixed an issue on the firewall where a process (useridd)
stopped responding when group-mapping profiles were configured with
an LDAP server profile with the type e-directory. |
PAN-157472 | (PA_5200 Series firewalls only)
Fixed an issue where, after a factory reset, the firewall displayed
the following error message: data_plane_X: Exited 1 times, must be manually recovered.. |
PAN-157447 | Fixed an issue where a process (flow_mgmt) repeatedly
restarted with a segmentation violation (SIGSEGV) signal and the
following trace: flow_mgmt:pan_flow_dos_ager_invoke pan_sw_timer_100ms pan_sw_timer_invoke. |
PAN-157311 | Fixed an issue where, if the OK button
is clicked before tags are loaded when editing an address object
that contained tags via the firewall web interface, associated tags
are removed. |
PAN-157213 | (ZTP firewalls only) Fixed an issue
where the firewall failed to connect to Panorama when ZTP was disabled. |
PAN-157074 | Fixed an issue where a process (configd) stopped
responding, which caused corruption. |
PAN-157035 | (PA-5200 Series firewalls only)
Fixed an intermittent issue where multicast packets traversing the
firewall in VLAN configurations experienced higher drop rates than
expected. |
PAN-157027 | Fixed an issue where, when stateless GTP-U
traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation
loop occurred, which caused high dataplane resource usage. |
PAN-156240 | A fix was made to address an issue where
a cryptographically weak pseudo-random number (PRNG) was used during
authentication to the PAN-OS interface. As a result, attackers with
the capability to observe their own authentication secrets over
a long duration on the firewall had the ability to impersonate another
authenticated web interface administrator’s session (CVE-2021-3047). |
PAN-156113 | Fixed an issue where the management interface
incorrectly used the configured default gateway for local network
traffic when service routes were configured. |
PAN-156098 | Fixed an issue where netflow packets sent
from the firewall contained excess padding, which resulted in the
packet length exceeding 1400 bytes. |
PAN-155772 | Fixed an issue where the Panorama web interface
did not display the secondary IP address configuring it under the
template stack. |
PAN-155758 | (7000-Series firewalls only) Fixed
an issue where, when a subinterface was configured as a Log Card
interface, the commit failed unless an IP address was assigned to
the parent interface. |
PAN-155659 | Fixed an issue where individual users were
unable to populate the allowed user/user group field
when configuring the GlobalProtect Clientless VPN. |
PAN-155657 | Fixed an issue where the default log level
for mprelay was set to INFO and caused commits
to stop working on VM-Series firewalls in AWS using EBS backed volumes
when route monitor is configured. |
PAN-155593 | Fixed an issue where the firewall was unable
to match HIP objects with a 3-digit code version. |
PAN-155459 | Fixed an issue where an interface placed
in a pre-defined zone was removed by the SD-WAN plugin after a commit
to the firewall. |
PAN-155126 | Fixed an issue where editing the LDAP server
IP address (Device > Templates > Server Profiles > LDAP
> LDAP Server Profile) removed the bind password. |
PAN-154603 | Fixed an issue where, when SSL/TLS was required,
LDAP server authentication attempted StartTLS first. |
PAN-154526 | Fixed an issue where a process (genindex.sh) caused
high memory usage on the management plane. Due to the resulting
OOM condition, multiple processes stopped responding. |
PAN-154441 | Fixed an issue where the Radius EAP authentication
stopped working and the authd process restarted. |
PAN-154433 | Fixed an issue where the firewall was unable
to detect end-user IP address spoofing on the GTP-U for a user data
session when using an IPv6 address. |
PAN-154362 | Fixed an issue where Panorama failed to
push dynamic user groups to the managed firewalls. |
PAN-154334 | Fixed an issue where the inactivity logout
timeout did not reflect on the GlobalProtect mapping timeout. |
PAN-154145 | (VM-Series firewalls only) Fixed
an issue where the management plane CPU was incorrectly reported
to be high. |
PAN-154109 | Fixed an issue where using XML special characters
in the Uninstalled GlobalProtect APP password
in the application configuration (Networks > GlobalProtect >
Portals > Agent > App) disrupted portal connectivity. |
PAN-153952 | Fixed an issue where the firewall treated
external dynamic list entries with nested carets as invalid. |
PAN-153592 | Fixed an issue where, after upgrading Panorama
from PAN-OS 8.1.9 to PAN-OS 9.1.3, the option to preview changes
for dynamic address groups or templates from Panorama did not work. |
PAN-153288 | Fixed an issue where the software QoS shaping
queue processing was not properly applied on multicast traffic. |
PAN-153228 | Fixed an issue where, when IPSec tunnels
had tunnel-monitor enabled, tunnel activation
was sent every 3 seconds, even when the configured value was different. With
this fix, tunnel activation will be sent according to the configured intervals
and thresholds. |
PAN-151909 | Modified the diff algorithm for when a configuration
audit was performed because certain objects incorrectly displayed
as either New or Modified/Unchanged due
to the XML format being added. |
PAN-151751 | Fixed an issue where GlobalProtect logs
did not populate on the destination syslog server in Log Event Extended
Format (LEEF) and common event format (CEF). |
PAN-151679 | Fixed an issue where it was possible via
the CLI to create a Security policy rule with the any and application-default options
simultaneously configured. |
PAN-151302 | (PA-7000 Series firewalls with Log Forwarding
Cards (LFC) only) Fixed an issue where the logging rate for
the LFC was not displayed in Panorama > Managed Devices
> Health. |
PAN-151273 | Fixed an issue where the commit event was
not recorded in the config logs during a Commit and Push on
the Panorama management server. |
PAN-150530 | Fixed an issue where, when printing External
Dynamic List (EDL) log messages, the messages repeated until the
end of the description. |
PAN-150388 | (PA-220 Series firewalls only)
Fixed an issue where a process (mgmtsrvr) stopped responding
when viewing logs in the web interface. |
PAN-150337 | A fix was made to address a reflect cross-site
scripting (XSS) vulnerability in the PAN-OS web interface that enabled
an authenticated network-based attacker to mislead another authenticated
PAN-OS administrator to click on a specially crafted link that performed
arbitrary actions in the web interface as the targeted authenticated
administrator (CVE-2021-3052). |
PAN-150110 | Fixed an issue where Elasticsearch restarted
unexpectedly when it ran out of memory. This was due to the vm.max-map-count value
being set incorrectly in the newer version of Elasticsearch (starting
from PAN-OS 9.0). With this fix, the value is set correctly. |
PAN-150080 | Fixed an issue where, even when tunnel interface
is set to down, the following alert displayed: Tunnel GRE_Tunnels is going down(critical). |
PAN-149867 | Fixed an issue where a process (authd)
ignored null domain authentication profiles in a sequence and only
returned non-null domains to GlobalProtect. |
PAN-147827 | Fixed an issue where, when SIP traffic traversing
the firewall was sent with a high QoS Differentiated Services Code
Point (DSCP) value, the DSCP value was reset to the default setting
(CS0). |
PAN-147781 | A fix was made to address an issue where
an OS command argument injection vulnerability in the PAN-OS web
interface enabled an authenticated administrator to read any arbitrary
file from the file system (CVE-2021-3045). |
PAN-147736 | Fixed an issue on the firewall web interface
where the Cortex Data Lake Logging Service Status pop-up
window did not show correct information. |
PAN-147193 | Fixed an issue with the Panorama web interface
where, when all device groups and templates were selected, a load
configuration operation failed. This was caused by the XML cache
rebuilding for each device group and template iteration. |
PAN-146250 | Fixed an issue where, in two separate but
simultaneous sessions, the same software packet buffer was owned
and processed. |
PAN-146048 | Fixed an issue where a satellite firewall
was unable to authenticate to an LSVPN gateway when the issued certificate
from Simple Certificate Enrollment Protocol (SCEP) had encryption
bits set to 3072. With this fix, the maximum private key size of
3072 bits, along with the 1024-bit size and the 2048-bit size, is
able to authenticate when selected to create the SCEP profile. |
PAN-145190 | Fixed an issue where administrators were
unable to delete the GlobalProtect Data File update
schedule (Device > Dynamic Updates). |
PAN-144305 | Fixed an issue where merged configurations
were unable to be exported from Panorama-managed firewalls using
the PAN-OS XML API. |
PAN-144057 | Fixed a rare issue where, when aggregate
ethernet (AE) groups were deleted and re-added, the AE interface
no longer had an SDB node to send link the location to. As a result,
the dataplane was unable to identify a connected route for the interface
address. |
PAN-143699 | Fixed an issue where the firewall status
was inaccurate (Panorama > Device Deployment). |
PAN-142199 | Fixed an issue memory leak issue where a
process (devsrvr) consumed excess memory, which resulted
in OOM conditions. |
PAN-141750 | Fixed an issue in Panorama where the GlobalProtect
gateway configuration in the template stack for mobile users was
not able to be overwritten. |
PAN-141495 | Fixed an issue where the following settings
were not pushed from Panorama to the firewall: Minimum
Length, Failed Attempts, and Lockout Time (Template
> Device > Setup > Management). |
PAN-140565 | Added zram support to PAN-OS platforms. |
PAN-140443 | Fixed an issue where period Windows Management Instrumentation
(WMI) probing did not work until a process (useridd)
was restarted. |
PAN-138869 | Fixed an issue where some threat logs in
Panorama were not displayed when filtered by Threat-ID name. |
PAN-136635 | Fixed an issue where HIP-related objects
were missing transformation logic, which caused commit failures. |
PAN-114642 | Fixed an issue where firewall logs incorrectly
include the end-user IP address in GTP message logs when you configure
PAA IE with IPv4 and IPv6 dual stack in the Create Session Response
message. |
PAN-113093 | Fixed an intermittent issue where, when
the DNS Security cloud was not reachable, DNS responses had bad
UDP checksums. |
PAN-111553 | Fixed an issue on the Panorama management
server where the "Include Device and Network Templates" setting
(Commit>Push to Devices>Edit Selections" or "Commit>Commit and
Push>Edit Selections) was disabled by default and caused your
push attempts to fail. With this fix, your push will "Include Device
and Network Templates" by default. |