PAN-OS 9.1.10 Addressed Issues
Focus
Focus

PAN-OS 9.1.10 Addressed Issues

Table of Contents

PAN-OS 9.1.10 Addressed Issues

PAN-OS® 9.1.10 addressed issues.
Issue ID
Description
WF500-5568
Fixed an issue where a firewall in FIPS mode running PAN-OS 8.1.18 or a later version failed to connect with a WildFire appliance in normal mode.
WF500-5513
Fixed an issue where cloud queries failed, which generated system logs. The issue occurred because a hash was not found in the cloud.
PAN-169551
Fixed an issue where custom URL categories hit incorrect URL categories, which caused the firewall to miss or deny the security policies for the configured custom URL.
PAN-168298
Fixed an issue where a firewall superuser using an LDAP authentication profile that was pushed from Panorama was unable to save the filter under
Monitor > Logs
.
PAN-167306
(
VM-Series firewalls on Microsoft Azure only
) Fixed an issue where, when a second disk was added,
/opt/panlogs
was mounted on an incorrect partition.
PAN-167098
Fixed an issue where a configd process memory corruption occurred when Panorama was exposed to multiple XML API calls on Dynamic Address Groups updates.
PAN-166570
Fixed an issue where authentication failure messages were overwritten when a commit was in progress.
PAN-166328
(
PA-7000 Series firewalls with NPCs only
) Fixed an issue where path monitoring failure occurred while hot inserting a 100G NPC (network processing card) into the firewall.
PAN-166306
Fixed an issue where commit jobs failed when validating HIP objects and profiles.
PAN-166296
Fixed an issue where an unavailable certificate revocation list (CRL) from the server side caused an infinite loop on a process (sslmgr), which resulted in it not responding for other tasks.
PAN-166241
A fix was made to address an improper restriction of XML external identity (XXE) reference in the PAN-OS web interface that enabled an authenticated administrator to read any arbitrary file from the file system and send a specifically crafted request to the firewall that caused the service to crash (CVE-2021-3055).
PAN-166021
Fixed an issue where log queries that included a username did not return with any output.
PAN-164922
Fixed an issue on Panorama where a context switch to a managed firewall running PAN-OS 8.1.0 to PAN-OS 8.1.19 failed.
PAN-164846
Fixed an issue where packet buffers were depleted.
PAN-164646
Fixed an issue where tunnel monitoring in the Large Scale VPN (LSVPN) displayed as down in both the CLI and the web interface due to incorrect dataplane ownership.
PAN-164571
Fixed an issue where DHCP leases were not properly synchronized between high availability peers after a device or dhcpd process restart. With this fix, the DHCP lease details display correctly on both the active and the passive device.
PAN-164392
Fixed an issue where an out-of-memory (OOM) condition occurred due to a memory leak related to a process (logrcvr).
PAN-164338
Fixed an issue where, when using the CLI or API, configurations for policy rule services or applications that either used custom settings and default settings together, or used multiple default settings together, successfully commit instead of failing or displaying a warning.
Note
To use this fix, you must delete previous application or service settings in the configuration.
PAN-164056
Fixed a memory issue for LSVPNs with multiple dataplane systems.
PAN-163587
Fixed an issue on Panorama where a user with an admin role was able to set the
Block IP List
option via the CLI but not the web interface.
PAN-162663
Fixed an intermittent issue on the firewall where packets dropped in decrypted SSL/TLS sessions.
PAN-162600
Fixed an issue where, when the GlobalProtect client sent UDP/4501 traffic that was destined for the GlobalProtect gateway inside the GlobalProtect tunnel, the firewall still processed the traffic, which caused routing loops.
PAN-162594
Fixed an issue where blank configuration for tokens in a content-driven
FreeDNS Afraid.org Dynamic API v1
DDNS configuration were not enabled.
PAN-161869
Fixed an issue where a core dump occurred on a process (flow_ctrl) after a commit if a policy-based forwarding (PBF) rule referenced an interface that had a DHCP IP address assignment.
PAN-161544
Fixed an issue where the
Device Name
field was missing when GlobalProtect logs were exported to CSV from the Panorama management server.
PAN-161260
Fixed a memory leak issue related to a process (useridd) that occurred when processing high amount of HIP reports as well as aa memory leak issue related to the sslvpn process that occurred when the firewall was configured as a GlobalProtect satellite.
PAN-161112
Fixed an issue where a process (useridd) repeatedly exceeded the virtual memory limit, which caused the process to stop responding.
PAN-161025
Fixed an issue in Panorama where an administrator with the role of Panorama administrator did not have the option to download or install GlobalProtect clients (
Panorama > Device Deployment > GlobalProtect
).
PAN-160997
Fixed an issue where the metadata from the firewall's authentication profile was unable to export. This issue occurred when the authentication profile and the SAML Identity Provider sever profile were created with
VSYS
in the
Location
and pushed from Panorama template stack values. To utilize this fix, you must upgrade both Panorama and the firewall.
PAN-160870
(
ZTP-capable firewalls only
) Fixed an issue where the default Zero Touch Provisioning (ZTP) configuration was still present on the firewall even when ZTP was disabled, which caused commit failures.
PAN-160540
Fixed an issue where tunnel traffic was dropped intermittently when a Quality of Service (QoS) Profile was assigned but the profile had no limits defined.
PAN-160247
Fixed an issue where system logs incorrectly displayed as
Critical
.
PAN-160238
Fixed an issue where intermittent VXLAN packet drops occurred if the TCI was not configured for inspecting VXLAN traffic. This issue occurred when traffic was migrated from a firewall running a PAN-OS version earlier than PAN-OS 9.0 to a firewall running PAN-OS 9.0 or later.
PAN-160053
Fixed an issue in Panorama where a process (configd) stopped responding due to a race condition in the mongodbprocess.
PAN-159973
Fixed an issue where a local commit in the Panorama management server caused the status to get out of sync on the managed WildFire appliance.
PAN-159592
Fixed an issue where a Japanese keyword search displayed garbled characters during SAML authentication.
PAN-159499
Fixed an issue where you were unable to select the configured QoS profile under the template stack.
PAN-159295
Fixed an issue where scheduled configuration export files saved in the
/tmp
folder in root were not periodically purged, which caused the root partition to fill up.
PAN-159224
Fixed an memory leak issue related to a process (mgmtsrvr), which was caused by a certificate loading operation.
PAN-159054
Fixed an issue where you were unable to add more than 500 DHCP relay agent objects in the firewall templates from Panorama.
PAN-158932
Fixed an issue where an increase was observed on
spyware_state
, which caused latency.
PAN-158161
Fixed an issue where the PBF monitor was failing on the tunnel interface when QoS was enabled.
PAN-158119
(
PA-7000 Series firewalls only
) Fixed an issue where TFTP traffic with a high packet rate was not offloaded even after hitting an application override policy with a custom application.
PAN-158020
Fixed an issue where HIP reports were not visible on the web interface due to a domain override configuration.
PAN-157964
Fixed an issue where adding a container application from the
Apps Seen
list did not remove the child application from the list.
PAN-157908
Fixed an issue where false system alarms for the IP tag log database exceeded the alarm threshold value.
PAN-157903
Fixed an issue where the
To
field of an email was truncated in threat logs when the original email exceeded 512 bytes.
PAN-157632
Fixed an intermittent issue where the firewall dropped GPRS tunneling protocol (GTP-U) traffic with the message
TEID=0x00000000
.
PAN-157570
Fixed an issue where device deployment from Panorama to the firewalls failed with the error message
Failed to get DLSRVR client key
. This issue occurred only on firewalls where the
request system-private-data-reset
CLI command had been issued in the past.
PAN-157479
Fixed an issue on the firewall where a process (useridd) stopped responding when group-mapping profiles were configured with an LDAP server profile with the type
e-directory
.
PAN-157472
(
PA_5200 Series firewalls only
) Fixed an issue where, after a factory reset, the firewall displayed the following error message:
data_plane_X: Exited 1 times, must be manually recovered.
.
PAN-157447
Fixed an issue where a process (flow_mgmt) repeatedly restarted with a segmentation violation (SIGSEGV) signal and the following trace:
flow_mgmt:pan_flow_dos_ager_invoke pan_sw_timer_100ms pan_sw_timer_invoke
.
PAN-157311
Fixed an issue where, if the
OK
button is clicked before tags are loaded when editing an address object that contained tags via the firewall web interface, associated tags are removed.
PAN-157213
(
ZTP firewalls only
) Fixed an issue where the firewall failed to connect to Panorama when ZTP was disabled.
PAN-157074
Fixed an issue where a process (configd) stopped responding, which caused corruption.
PAN-157035
(
PA-5200 Series firewalls only
) Fixed an intermittent issue where multicast packets traversing the firewall in VLAN configurations experienced higher drop rates than expected.
PAN-157027
Fixed an issue where, when stateless GTP-U traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation loop occurred, which caused high dataplane resource usage.
PAN-156240
A fix was made to address an issue where a cryptographically weak pseudo-random number (PRNG) was used during authentication to the PAN-OS interface. As a result, attackers with the capability to observe their own authentication secrets over a long duration on the firewall had the ability to impersonate another authenticated web interface administrator’s session (CVE-2021-3047).
PAN-156113
Fixed an issue where the management interface incorrectly used the configured default gateway for local network traffic when service routes were configured.
PAN-156098
Fixed an issue where netflow packets sent from the firewall contained excess padding, which resulted in the packet length exceeding 1400 bytes.
PAN-155772
Fixed an issue where the Panorama web interface did not display the secondary IP address configuring it under the template stack.
PAN-155758
(
7000-Series firewalls only
) Fixed an issue where, when a subinterface was configured as a Log Card interface, the commit failed unless an IP address was assigned to the parent interface.
PAN-155659
Fixed an issue where individual users were unable to populate the
allowed user/user group
field when configuring the GlobalProtect Clientless VPN.
PAN-155657
Fixed an issue where the default log level for
mprelay
was set to INFO and caused commits to stop working on VM-Series firewalls in AWS using EBS backed volumes when route monitor is configured.
PAN-155593
Fixed an issue where the firewall was unable to match HIP objects with a 3-digit code version.
PAN-155459
Fixed an issue where an interface placed in a pre-defined zone was removed by the SD-WAN plugin after a commit to the firewall.
PAN-155126
Fixed an issue where editing the LDAP server IP address (
Device > Templates > Server Profiles > LDAP > LDAP Server Profile
) removed the bind password.
PAN-154603
Fixed an issue where, when SSL/TLS was required, LDAP server authentication attempted StartTLS first.
PAN-154526
Fixed an issue where a process (genindex.sh) caused high memory usage on the management plane. Due to the resulting OOM condition, multiple processes stopped responding.
PAN-154441
Fixed an issue where the Radius EAP authentication stopped working and the authd process restarted.
PAN-154433
Fixed an issue where the firewall was unable to detect end-user IP address spoofing on the GTP-U for a user data session when using an IPv6 address.
PAN-154362
Fixed an issue where Panorama failed to push dynamic user groups to the managed firewalls.
PAN-154334
Fixed an issue where the inactivity logout timeout did not reflect on the GlobalProtect mapping timeout.
PAN-154145
(
VM-Series firewalls only
) Fixed an issue where the management plane CPU was incorrectly reported to be high.
PAN-154109
Fixed an issue where using XML special characters in the
Uninstalled GlobalProtect APP
password in the application configuration (
Networks > GlobalProtect > Portals > Agent > App
) disrupted portal connectivity.
PAN-153952
Fixed an issue where the firewall treated external dynamic list entries with nested carets as invalid.
PAN-153592
Fixed an issue where, after upgrading Panorama from PAN-OS 8.1.9 to PAN-OS 9.1.3, the option to preview changes for dynamic address groups or templates from Panorama did not work.
PAN-153288
Fixed an issue where the software QoS shaping queue processing was not properly applied on multicast traffic.
PAN-153228
Fixed an issue where, when IPSec tunnels had
tunnel-monitor
enabled, tunnel activation was sent every 3 seconds, even when the configured value was different. With this fix, tunnel activation will be sent according to the configured intervals and thresholds.
PAN-151909
Modified the diff algorithm for when a configuration audit was performed because certain objects incorrectly displayed as either
New
or
Modified/Unchanged
due to the XML format being added.
PAN-151751
Fixed an issue where GlobalProtect logs did not populate on the destination syslog server in Log Event Extended Format (LEEF) and common event format (CEF).
PAN-151679
Fixed an issue where it was possible via the CLI to create a Security policy rule with the
any
and
application-default
options simultaneously configured.
PAN-151302
(
PA-7000 Series firewalls with Log Forwarding Cards (LFC) only
) Fixed an issue where the logging rate for the LFC was not displayed in
Panorama > Managed Devices > Health
.
PAN-151273
Fixed an issue where the commit event was not recorded in the config logs during a
Commit and Push
on the Panorama management server.
PAN-150530
Fixed an issue where, when printing External Dynamic List (EDL) log messages, the messages repeated until the end of the description.
PAN-150388
(
PA-220 Series firewalls only
) Fixed an issue where a process (mgmtsrvr) stopped responding when viewing logs in the web interface.
PAN-150337
A fix was made to address a reflect cross-site scripting (XSS) vulnerability in the PAN-OS web interface that enabled an authenticated network-based attacker to mislead another authenticated PAN-OS administrator to click on a specially crafted link that performed arbitrary actions in the web interface as the targeted authenticated administrator (CVE-2021-3052).
PAN-150110
Fixed an issue where Elasticsearch restarted unexpectedly when it ran out of memory. This was due to the
vm.max-map-count
value being set incorrectly in the newer version of Elasticsearch (starting from PAN-OS 9.0). With this fix, the value is set correctly.
PAN-150080
Fixed an issue where, even when tunnel interface is set to
down
, the following alert displayed:
Tunnel GRE_Tunnels is going down(critical)
.
PAN-149867
Fixed an issue where a process (authd) ignored null domain authentication profiles in a sequence and only returned non-null domains to GlobalProtect.
PAN-147827
Fixed an issue where, when SIP traffic traversing the firewall was sent with a high QoS Differentiated Services Code Point (DSCP) value, the DSCP value was reset to the default setting (CS0).
PAN-147781
A fix was made to address an issue where an OS command argument injection vulnerability in the PAN-OS web interface enabled an authenticated administrator to read any arbitrary file from the file system (CVE-2021-3045).
PAN-147736
Fixed an issue on the firewall web interface where the Cortex Data Lake
Logging Service Status
pop-up window did not show correct information.
PAN-147193
Fixed an issue with the Panorama web interface where, when all device groups and templates were selected, a load configuration operation failed. This was caused by the XML cache rebuilding for each device group and template iteration.
PAN-146250
Fixed an issue where, in two separate but simultaneous sessions, the same software packet buffer was owned and processed.
PAN-146048
Fixed an issue where a satellite firewall was unable to authenticate to an LSVPN gateway when the issued certificate from Simple Certificate Enrollment Protocol (SCEP) had encryption bits set to 3072. With this fix, the maximum private key size of 3072 bits, along with the 1024-bit size and the 2048-bit size, is able to authenticate when selected to create the SCEP profile.
PAN-145190
Fixed an issue where administrators were unable to delete the
GlobalProtect Data File
update schedule (
Device > Dynamic Updates
).
PAN-144305
Fixed an issue where merged configurations were unable to be exported from Panorama-managed firewalls using the PAN-OS XML API.
PAN-144057
Fixed a rare issue where, when aggregate ethernet (AE) groups were deleted and re-added, the AE interface no longer had an SDB node to send link the location to. As a result, the dataplane was unable to identify a connected route for the interface address.
PAN-143699
Fixed an issue where the firewall status was inaccurate (
Panorama > Device Deployment
).
PAN-142199
Fixed an issue memory leak issue where a process (devsrvr) consumed excess memory, which resulted in OOM conditions.
PAN-141750
Fixed an issue in Panorama where the GlobalProtect gateway configuration in the template stack for mobile users was not able to be overwritten.
PAN-141495
Fixed an issue where the following settings were not pushed from Panorama to the firewall:
Minimum Length
,
Failed Attempts
, and
Lockout Time
(
Template > Device > Setup > Management
).
PAN-140565
Added zram support to PAN-OS platforms.
PAN-140443
Fixed an issue where period Windows Management Instrumentation (WMI) probing did not work until a process (useridd) was restarted.
PAN-138869
Fixed an issue where some threat logs in Panorama were not displayed when filtered by Threat-ID name.
PAN-136635
Fixed an issue where HIP-related objects were missing transformation logic, which caused commit failures.
PAN-114642
Fixed an issue where firewall logs incorrectly include the end-user IP address in GTP message logs when you configure PAA IE with IPv4 and IPv6 dual stack in the Create Session Response message.
PAN-113093
Fixed an intermittent issue where, when the DNS Security cloud was not reachable, DNS responses had bad UDP checksums.
PAN-111553
Fixed an issue on the Panorama management server where the "Include Device and Network Templates" setting (
Commit>Push to Devices>Edit Selections" or "Commit>Commit and Push>Edit Selections
) was disabled by default and caused your push attempts to fail. With this fix, your push will "Include Device and Network Templates" by default.

Recommended For You