PAN-OS 9.1.11 Addressed Issues
PAN-OS® 9.1.11 addressed issues.
WF-500 appliance only) Fixed an issue where cloud inquiries were logged under the
Fixed an issue where Zero-Touch Provisioning (ZTP) configuration wasn't removed after disabling it, which resulted in predefined configurations to be loaded after a reboot.
A fix was made to address an OS command injection vulnerability in the PAN-OS web interface that enabled an authenticated administrator to execute arbitrary OS commands to escalate privileges (CVE-2021-3050).
Fixed an issue where DNS Security web service was not reachable and retransmission did not occur.
Fixed an issue on firewalls in a high availability (HA) configuration where HA-2 links continuously flapped on HSCI interfaces after upgrading to PAN-OS 8.1.19.
Fixed an issue where unicast DHCP discover or request packets were silently dropped.
Fixed an issue where Panorama deployed in Google Cloud Platform (GCP) failed to the renew management server DHCP IP.
Console debug output was enhanced to address issues that led to a loss of SSH and web interface access.
Fixed an issue where the firewall egressed offloaded frames out of order after an explicit commit (
Commiton the firewall or
Commit All Changeson Panorama) or an implicit comment such as an Antivirus update, Dynamic Update, or WildFire update.
NoteThis issue persists for a network-related configuration and commit.
Fixed an issue with the google-docs-uploading application that occurred if a Security policy rule was applied to a Security profile and traffic was decrypted.
Fixed an issue where using cookies to authenticate MacOS users didn't work due to the client agent not providing the
phpsessionidset from the sent GlobalProtect messages during the connection. As a result, the firewall was unable to find and include the portal authentication cookie in the response message.
Fixed an issue where the management CPU remained at 100% due to a large number of configured User-ID agents.
Fixed an issue in an HA active/active configuration where traffic with complete packets showed up as incomplete and were disconnected due to a non-session owner device closing the session prematurely.
Fixed a timing issue between downloading and installing threads that occurred when Panorama pushed content updates and the firewall fetched content updates simultaneously.
Fixed an issue where a DNS Security inspection identified a TCP DNS request that had two requests in one segment as a malformed packet and dropped the packet.
Fixed an intermittent issue where traffic ingressing through a VPN tunnel failed to match predict session, which resulted in child sessions failing.
Fixed an issue where users connecting to the US East gateway encountered a delay in DNS responses.
Fixed an issue on multi-dataplane firewalls with high CPU use on dataplane 0 that caused an internal loop of forward/host sessions on the firewall.
Fixed an issue where session failed due to resource unavailability.
Fixed an issue where role based admin users with
tagdisabled were unable to view applications under
Fixed an issue on United States GlobalProtect portals where HTTP health checks failed and no authentication events occurred for about 10 minutes.
Fixed an issue on the firewalls where generating SCEP Certificates did not work when the value of a Relative Distinguished Name (RDN) in the subject string contained a space.
Fixed an issue in an HA active/active configuration where an administrative shutdown message was not sent to the BGP peer when the firewall went into a suspended state, which delayed convergence.
Fixed an issue where, in scenarios with Fragmented Session Initiation Protocol (SIP), where the first packet arrived out of order, bypassing App-ID and Content and Threat Detection (CTD). With this fix, the out-of-order packet is transmitted after it has been queued and processed by App-ID and CTD.
Fixed an issue where Panorama missed address group objects during a template configuration due to Panorama not sending the required strings for a query.
Fixed an issue where the Application Command Center (ACC) did not display data when the Device Group was set with
VSYSin its name.
Fixed an issue where, when default interzone and intrazone Security policy rules were overwritten, the rules did not display hit counts.
VM-Series firewalls only) A fix was made to address improper access control that enabled an attacker with authenticated access to GlobalProtect portals and GlobalProtect gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon Web Services (AWS) (CVE-2021-3062).
VM-Series firewalls only) Fixed an issue where the firewall rebooted into maintenance mode after installing a capacity license in FIPS-CC mode.
Fixed an issue where the Panorama web interface displayed an unavailable setting.
A CLI command was added to immediately disable or enable restarting the syslog-ng connection during an FQDN refresh IP address change.
Fixed an intermittent issue where the presence of an Anti-Spyware profile in a Security policy rule that matched DNS traffic caused DNS responses to be malformed in transit.
Fixed a rare issue where an external dynamic list (EDL) entry became corrupt due to an erroneous string being inserted while generating the list.
Fixed an issue where the commit time increased after upgrading from PAN-OS 9.0 to PAN-OS 9.1.
Fixed an issue where predict session didn't update the associated rules when Security policies shifted after a commit.
The following CLI commands were added to enable the customer to set the dataplane utilization limit:
debug dataplane show ctd wildfire max-
debug dataplane set ctd wildfire max <0-5000>The default setting is the recommended value of 500; a value of 0 removes dataplane CTD limits.
Fixed an issue where the
Service Route Configuration(
Device > Setup > Services > Service Route Configuration) was unchangeable when the web interface language was set to a language other than English.
Fixed an intermittent issue where importing a new firewalls configuration into Panorama failed due to conflicting virtual system (vsys) names, even when the
Device Group Name Prefixwas used to make the name unique.
Fixed an issue where a user was able to clone, edit, and commit a configuration that had been locked by another user.
Fixed an issue where only one medium-severity system log was generated if either the EDL file wasn't updated at the remote end or the downloaded file wasn't a text file.
Fixed an issue where scheduled configuration bundle exports via Secure Copy (SCP) displayed following error message in the system log:
Failed to export config bundleafter already displaying a
Successmessage in the log.
Fixed an issue where BGP routing stopped advertising a redistributed route when a similar new redistributed route was configured.
Fixed an issue where, when the DNS Security feature was enabled, Linux clients experienced a delay in resolving domain names if the clients simultaneously attempted A and AAAA resolution.
Fixed an issue where importing PAN-TRAPS.my to the SNMP manager caused the following error to display:
Registration failed, registration failed, because there are unreferenced definition names in the MIB file.
Fixed an issue where, when the CLI command
oscp-exclude-nonce-yeswas enabled for a certificate profile, a nonce value was still included in the Online Certificate Status Protocol (OCSP) request.
Fixed an issue where SD-WAN routes weren't withdrawn after a bootup when all SD-WAN tunnels were down.
Fixed an issue where the Certification Revocation List (CRL) in Distinguished Encoding Rules (DER) format incorrectly returned errors despite being able to successfully pull the CRL to verify that the syslog server certificate was still valid.
Fixed an issue where, when a new tag was created, a custom application with the same name was also created.
Fixed an issue where the
debug sslmgr view crlcommand failed when ampersand (&) character was included in the URL for the certificate revocation list (CRL).
Fixed a memory leak issue in the management server process.
Fixed an issue where commits to the Prisma Access Remote networks from Panorama were failing when the management server on the cloud firewall failed to exit cleanly and reported the following error:
pan_check_cert_status(pan_crl_ocsp.c:284): sysd write failed (TIMEOUT)
PA-3200 Series firewalls only) Fixed an issue where, for SNMPv2-MIB:sysServices,
snmpwalkreturned the following error message:
No Such Instance currently exists at this OID.
Fixed a memory leak on the management server process on Firewall.
Fixed an issue where warnings displayed during a commit or validate when BGP peers used in an import/export rule were disabled.
Fixed an issue where the firewall dropped packets due to a race condition.
VM-Series firewalls with multiple DHCP interfaces only) Fixed an issue where leases renewed more quickly than needed, which caused unnecessary SPF recalculations.
Fixed an issue where DNS Proxy rules that contained uppercase characters were not normalized to lowercase, which prevented the rules from being matched.
Fixed an issue where, when decryption was enabled, the following error was displayed:
Cannot contact reCAPTCHA. Check your connection and try again.
Fixed an intermittent issue where SMB file transfer operations failed due to packet drops that were caused by the Content and Threat Detection (CTD) queue filling up quickly. This fix introduces a new CLI command which, when enabled, prevents these failures:
set system setting ctd nonblocking-pattern-match-qsizecheck [enable|disable].
Fixed an issue where admin users with custom roles were unable to create VLANs.
VM-Series firewalls deployed in Amazon Web Services (AWS) instance types M5 and C5 only) Fixed an issue where a Panorama Virtual Appliance in an HA configuration entered a suspended state due to a virtual machine (VM) memory size mismatch.
Fixed an issue where using tags to target a device group in a Security policy rule did not work, and the rule was displayed in all device groups (
Fixed an issue where, after updating an address in an Address Group, a commit did not update GlobalProtect split tunnel access routes.
Panorama appliances in Log Collector mode only) The following CLI command was added to disable
No valid device certificate foundmessages in the system log:
debug skip-cert-renewal-check-syslog yes.
Fixed an issue where, when stateless GTP-U traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation loop occurred, which caused high dataplane resource usage.
Fixed an issue where the firewall did not display unified logs.
Fixed an issue where, after upgrading to PAN-OS 9.1.5, VM-Series firewalls in HA configurations went into a non-functional state due to a virtual machine (VM) license mismatch.
Fixed a packet buffer issue where HTTP2 packets were held for category lookup and the HTTP request was across multiple packets.
Fixed an issue where NetFlow updates were sent without honoring the configured active timeout value.
Fixed an intermittent issue where the Panorama Cloud Services plugin reported the following error for its Cortex Data Lake status:
Failed to validate server certificate for endpoint api.paloaltonetworks.com.
Panorama appliances on PAN-OS 10.0 releases only) Fixed an issue with Security policy rule configuration where, in the
Query Trafficsetting was not available for Address Groups.
Fixed an issue where the web interface did not display
Release Datewhen updating the dynamic updates manually.
Fixed an issue where the per-minute resource monitor was three minutes behind.
Fixed an issue that caused the mouse cursor to remove focus from the search bar when hovering over a hyperlink inside of a cell menu (e.g., source zone, source address, destination zone, destination address, etc.).
Fixed an issue where the GlobalProtect gateway failed with the following error message:
gateway does not exist.
Fixed an issue where packets were dropped unexpectedly due to errors parsing the IP version field.
Fixed an issue where URL filtering logs for credential phishing displayed a slash character (/) in the URL field.
Fixed an issue on Panorama where the
locattribute was not set as
sharedwhen creating dynamic-address-group-specific configurations during a Panorama commit.
Fixed an issue with the group-mapping mode credential detection feature that failed to block users when logging in using corporate credentials.
Fixed an issue on Panorama appliances where exporting or pushing a device configuration bundle to PA-5000, PA-5200, PA-7000, or PA-7000b series firewalls failed with the following error message:
Config bundle is too large to be exported to device.
A fix was made to address a time-of-check to time-of-use (TOCTOU) race condition in the PAN-OS web interface that enabled an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges (CVE-2021-3054).
PA-5200 Series and PA-7000 Series firewalls with Log Processing Cards (LPCs) only) Fixed an issue where the log quota (
Logging and Reporting Settings > Session Log Storage > Session Log Quota)exceeded 100%.
Fixed an issue where commits didn't complete due to a race condition in the log receiver.
Fixed an issue where the
show logging-statusCLI command did not display any output on the firewall even though the firewall was connected to Panorama and was successfully forwarding logs.
VM-Series firewalls only) Fixed an issue where packet buffer protection was not supported.
Fixed an issue where you were unable to locally override a user-group-mapping setting pushed from Panorama.
Fixed an issue where IKE Gateway configurations with different crypto profiles on the same IP address with dynamic peers failed with the following error message:
IKEv1 gateway should use the same crypto profiles configured on the same interface or local IP address.
With this fix, you are able to configure IKE Gateways with different crypto profiles on the same IP address with dynamic peers when IKEv1 auto mode is applied.
Fixed an issue in a multi-tenant deployment where, when a user-made configuration changed, the changes were unable to be committed, and the web interface displayed the following error message:
No pending change to commit. With this fix, users with multiple access domains will now be able to see plugin information.
Recommended For You
Recommended videos not found.