PAN-OS 9.1.11 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 9.1.11 Addressed Issues
PAN-OS® 9.1.11 addressed issues.
Issue ID | Description |
---|---|
WF500-5509 | (WF-500 appliance only) Fixed an
issue where cloud inquiries were logged under the SD-WAN subtype. |
PAN-174448 | Fixed an issue where Zero-Touch Provisioning
(ZTP) configuration wasn't removed after disabling it, which resulted
in predefined configurations to be loaded after a reboot. |
PAN-174326 | A fix was made to address an OS command
injection vulnerability in the PAN-OS web interface that enabled
an authenticated administrator to execute arbitrary OS commands
to escalate privileges (CVE-2021-3050). |
PAN-173848 | Fixed an issue where DNS Security web service
was not reachable and retransmission did not occur. |
PAN-172490 | Fixed an issue on firewalls in a high availability
(HA) configuration where HA-2 links continuously flapped on HSCI
interfaces after upgrading to PAN-OS 8.1.19. |
PAN-172464 | Fixed an issue where unicast DHCP discover
or request packets were silently dropped. |
PAN-171290 | Fixed an issue where Panorama deployed in
Google Cloud Platform (GCP) failed to the renew management server
DHCP IP. |
PAN-171174 | Console debug output was enhanced to address
issues that led to a loss of SSH and web interface access. |
PAN-170936 | Fixed an issue where the firewall egressed
offloaded frames out of order after an explicit commit (Commit on
the firewall or Commit All Changes on Panorama) or
an implicit comment such as an Antivirus update, Dynamic Update,
or WildFire update. Note This issue
persists for a network-related configuration and commit. |
PAN-170825 | Fixed an issue where, when a partial Preview Change job
failed, a process (configd) stopped responding. |
PAN-170740 | Fixed an issue with the google-docs-uploading
application that occurred if a Security policy rule was applied
to a Security profile and traffic was decrypted. |
PAN-170314 | Fixed an issue where PAN-DB URL cloud updates
failed because a process (devsrvr) did not fetch serial
numbers, which prevented the PAN_DB URL cloud from connecting after
first deployment. |
PAN-170103 | Fixed an issue where a process (ikemgr)
stopped responding while making configuration changes. This issue
occurred if Site-to-Site IPSec was using certification-based authentication. |
PAN-169793 | Fixed an issue where using cookies to authenticate
MacOS users didn't work due to the client agent not providing the phpsessionid set
from the sent GlobalProtect messages during the connection. As a
result, the firewall was unable to find and include the portal authentication
cookie in the response message. |
PAN-169197 | Fixed a rare issue where generating a tech
support file caused the useridd process to stop responding. |
PAN-169064 | Fixed an issue where the management CPU
remained at 100% due to a large number of configured User-ID agents. |
PAN-168921 | Fixed an issue in an HA active/active configuration
where traffic with complete packets showed up as incomplete and
were disconnected due to a non-session owner device closing the
session prematurely. |
PAN-167989 | Fixed a timing issue between downloading
and installing threads that occurred when Panorama pushed content
updates and the firewall fetched content updates simultaneously. |
PAN-167872 | Fixed an issue related to a process (all_pktproc) that
occurred in long-lived sessions that spanned two content upgrades. |
PAN-167858 | Fixed an issue where a DNS Security inspection
identified a TCP DNS request that had two requests in one segment
as a malformed packet and dropped the packet. |
PAN-167805 | Fixed an intermittent issue where traffic
ingressing through a VPN tunnel failed to match predict session,
which resulted in child sessions failing. |
PAN-167637 | Fixed an issue where users connecting to
the US East gateway encountered a delay in DNS responses. |
PAN-167266 | Fixed an issue on multi-dataplane firewalls
with high CPU use on dataplane 0 that caused an internal loop of
forward/host sessions on the firewall. |
PAN-167099 | Fixed a configuration management issue that
resulted in a process (ikemgr) failing to recognize
changes in subsequent commits. |
PAN-166836 | Fixed an issue where session failed due
to resource unavailability. |
PAN-166572 | Fixed an issue where a process (configd) restarted
when browsing policies on Panorama. |
PAN-166557 | Fixed an issue where ElasticSearch didn't
register to the masterd process when setting up a new
Log Collector configuration. |
PAN-166081 | Fixed an issue where role based admin users
with tag disabled were unable to view applications
under ObjectsApplication. |
PAN-165913 | Fixed an issue on United States GlobalProtect
portals where HTTP health checks failed and no authentication events
occurred for about 10 minutes. |
PAN-165843 | Fixed an issue on the firewalls where generating
SCEP Certificates did not work when the value of a Relative Distinguished
Name (RDN) in the subject string contained a space. |
PAN-165661 | Fixed an issue in an HA active/active configuration
where an administrative shutdown message was not sent to the BGP
peer when the firewall went into a suspended state, which delayed convergence. |
PAN-165660 | Fixed an issue where, in scenarios with
Fragmented Session Initiation Protocol (SIP), where the first packet
arrived out of order, bypassing App-ID and Content and Threat Detection
(CTD). With this fix, the out-of-order packet is transmitted after
it has been queued and processed by App-ID and CTD. |
PAN-165179 | Fixed an issue where Panorama missed address
group objects during a template configuration due to Panorama not
sending the required strings for a query. |
PAN-165120 | Fixed an issue where the Application Command
Center (ACC) did not display data when the Device Group was set
with VSYS in its name. |
PAN-165025 | Fixed an issue where, when default interzone
and intrazone Security policy rules were overwritten, the rules
did not display hit counts. |
PAN-164422 | (VM-Series firewalls only) A fix
was made to address improper access control that enabled an attacker
with authenticated access to GlobalProtect portals and GlobalProtect
gateways to connect to the EC2 instance metadata endpoint for VM-Series
firewalls hosted on Amazon Web Services (AWS) (CVE-2021-3062). |
PAN-164431 | (VM-Series firewalls only) Fixed
an issue where the firewall rebooted into maintenance mode after
installing a capacity license in FIPS-CC mode. |
PAN-164429 | Fixed an issue where the Panorama web interface
displayed an unavailable setting. |
PAN-164402 | A CLI command was added to immediately disable
or enable restarting the syslog-ng connection during an FQDN refresh
IP address change. |
PAN-163800 | Fixed an intermittent issue where the presence
of an Anti-Spyware profile in a Security policy rule that matched
DNS traffic caused DNS responses to be malformed in transit. |
PAN-163695 | Fixed an issue where multiple dataplane
process (all_task, flow_mgmt, flow_ctrl,
and pktlog_forwarding) stopped responding and caused
the dataplane to restart. This issue occurred when the firewall
received unexpected packets during an SSL handshake when SSL inbound
inspection was configured. |
PAN-162884 | Fixed a rare issue where an external dynamic
list (EDL) entry became corrupt due to an erroneous string being
inserted while generating the list. |
PAN-161618 | Fixed an issue where the commit time increased
after upgrading from PAN-OS 9.0 to PAN-OS 9.1. |
PAN-161289 | Fixed an issue where predict session didn't
update the associated rules when Security policies shifted after
a commit. |
PAN-161218 | The following CLI commands were added to
enable the customer to set the dataplane utilization limit: debug dataplane show ctd wildfire max -debug dataplane set ctd wildfire max <0-5000> The default
setting is the recommended value of 500; a value of 0 removes dataplane
CTD limits. |
PAN-161208 | Fixed an issue where the Service
Route Configuration (Device > Setup > Services >
Service Route Configuration) was unchangeable when the
web interface language was set to a language other than English. |
PAN-160831 | Fixed an intermittent issue where importing
a new firewalls configuration into Panorama failed due to conflicting
virtual system (vsys) names, even when the Device Group
Name Prefix was used to make the name unique. |
PAN-160544 | Fixed an issue where a user was able to
clone, edit, and commit a configuration that had been locked by
another user. |
PAN-160254 | Fixed a memory leak issue related to a process (reportd)
where memory was not freed after an ElasticSearch request. |
PAN-160253 | Fixed an issue where only one medium-severity
system log was generated if either the EDL file wasn't updated at
the remote end or the downloaded file wasn't a text file. |
PAN-160150 | Fixed an intermittent issue where, when
a race condition occurred, a process (rasmgr) stopped
responding, which caused GlobalProtect user authentication failure. |
PAN-159954 | Fixed an issue where scheduled configuration
bundle exports via Secure Copy (SCP) displayed following error message
in the system log: Failed to export config bundle after
already displaying a Success message
in the log. |
PAN-159936 | Fixed an issue where BGP routing stopped
advertising a redistributed route when a similar new redistributed
route was configured. |
PAN-159922 | Fixed an issue where, when the DNS Security
feature was enabled, Linux clients experienced a delay in resolving
domain names if the clients simultaneously attempted A and AAAA
resolution. |
PAN-159700 | Fixed an issue where importing PAN-TRAPS.my
to the SNMP manager caused the following error to display: Registration failed, registration failed, because there are unreferenced definition names in the MIB file. |
PAN-159536 | Fixed an issue where, when the CLI command oscp-exclude-nonce-yes was
enabled for a certificate profile, a nonce value was still included
in the Online Certificate Status Protocol (OCSP) request. |
PAN-159435 | Fixed an issue where SD-WAN routes weren't
withdrawn after a bootup when all SD-WAN tunnels were down. |
PAN-159293 | Fixed an issue where the Certification Revocation
List (CRL) in Distinguished Encoding Rules (DER) format incorrectly
returned errors despite being able to successfully pull the CRL
to verify that the syslog server certificate was still valid. |
PAN-159122 | Fixed an issue where, when a new tag was
created, a custom application with the same name was also created. |
PAN-158958 | Fixed an issue where the debug sslmgr
view crl command failed when ampersand (&) character was
included in the URL for the certificate revocation list (CRL). |
PAN-158654 | Fixed a memory leak issue in the management
server process. |
PAN-158649 | Fixed an issue where commits to the Prisma
Access Remote networks from Panorama were failing when the management
server on the cloud firewall failed to exit cleanly and reported
the following error: pan_check_cert_status(pan_crl_ocsp.c:284): sysd write failed (TIMEOUT) |
PAN-158450 | (PA-3200 Series firewalls only)
Fixed an issue where, for SNMPv2-MIB:sysServices, snmpwalk returned
the following error message: No Such Instance currently exists at this OID. |
PAN-158439 | Fixed a memory leak on the management server
process on Firewall. |
PAN-158372 | Fixed a buffer overflow issue related to
the useridd process. |
PAN-158337 | Fixed an issue where warnings displayed
during a commit or validate when BGP peers used in an import/export
rule were disabled. |
PAN-158043 | Fixed an issue where the firewall dropped
packets due to a race condition. |
PAN-157938 | (VM-Series firewalls with multiple DHCP
interfaces only) Fixed an issue where leases renewed more quickly
than needed, which caused unnecessary SPF recalculations. |
PAN-157835 | Fixed an issue where DNS Proxy rules that
contained uppercase characters were not normalized to lowercase,
which prevented the rules from being matched. |
PAN-157725 | Fixed an issue where, when decryption was
enabled, the following error was displayed: Cannot contact reCAPTCHA. Check your connection and try again. |
PAN-157715 | Fixed an intermittent issue where SMB file
transfer operations failed due to packet drops that were caused
by the Content and Threat Detection (CTD) queue filling up quickly.
This fix introduces a new CLI command which, when enabled, prevents
these failures: set system setting ctd nonblocking-pattern-match-qsizecheck [enable|disable]. |
PAN-157710 | Fixed an issue where admin users with custom
roles were unable to create VLANs. |
PAN-157620 | (VM-Series firewalls deployed in Amazon
Web Services (AWS) instance types M5 and C5 only) Fixed an
issue where a Panorama Virtual Appliance in an HA configuration
entered a suspended state due to a virtual machine (VM) memory size
mismatch. |
PAN-157518 | Fixed an issue where using tags to target
a device group in a Security policy rule did not work, and the rule
was displayed in all device groups (Preview Rules). |
PAN-157459 | Fixed an issue where, after updating an
address in an Address Group, a commit did not update GlobalProtect
split tunnel access routes. |
PAN-157089 | (Panorama appliances in Log Collector
mode only) The following CLI command was added to disable No valid device certificate found messages
in the system log: debug skip-cert-renewal-check-syslog yes. |
PAN-157027 | Fixed an issue where, when stateless GTP-U
traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation
loop occurred, which caused high dataplane resource usage. |
PAN-157026 | Fixed an issue where the firewall did not
display unified logs. |
PAN-156766 | Fixed an issue where, after upgrading to
PAN-OS 9.1.5, VM-Series firewalls in HA configurations went into
a non-functional state due to a virtual machine (VM) license mismatch. |
PAN-156482 | Fixed a packet buffer issue where HTTP2
packets were held for category lookup and the HTTP request was across
multiple packets. |
PAN-156393 | Fixed an issue where NetFlow updates were
sent without honoring the configured active timeout value. |
PAN-156388 | Fixed an issue where a process (useridd) stopped
responding while attempting to remove all HIP reports on the disk. |
PAN-155563 | Fixed an intermittent issue where the Panorama
Cloud Services plugin reported the following error for its Cortex
Data Lake status: Failed to validate server certificate for endpoint api.paloaltonetworks.com. |
PAN-154905 | (Panorama appliances on PAN-OS 10.0
releases only) Fixed an issue with Security policy rule configuration
where, in the Source and Destination tabs,
the Query Traffic setting was not available
for Address Groups. |
PAN-154876 | Fixed an issue where the web interface did
not display Release Date when updating the
dynamic updates manually. |
PAN-153382 | Fixed an issue where the per-minute resource
monitor was three minutes behind. |
PAN-153308 | Fixed an issue that caused the mouse cursor
to remove focus from the search bar when hovering over a hyperlink
inside of a cell menu (e.g., source zone, source address, destination
zone, destination address, etc.). |
PAN-153113 | Fixed an issue where the GlobalProtect gateway
failed with the following error message: gateway does not exist. |
PAN-151469 | Fixed an issue where packets were dropped
unexpectedly due to errors parsing the IP version field. |
PAN-149911 | Fixed an issue where URL filtering logs
for credential phishing displayed a slash character (/) in the URL
field. |
PAN-149853 | Fixed an issue on Panorama where the loc attribute
was not set as shared when creating dynamic-address-group-specific
configurations during a Panorama commit. |
PAN-147684 | Fixed an issue where a daemon (ikemgr) repeatedly
restarted, which resulted in the firewall rebooting. |
PAN-143426 | Fixed a memory leak issue where a process (devsrvr)
restarted due to the memory limit being exceeded. |
PAN-141494 | Fixed an issue with the group-mapping mode
credential detection feature that failed to block users when logging
in using corporate credentials. |
PAN-138859 | Fixed an issue on Panorama appliances where
exporting or pushing a device configuration bundle to PA-5000, PA-5200,
PA-7000, or PA-7000b series firewalls failed with the following
error message: Config bundle is too large to be exported to device. |
PAN-138727 | A fix was made to address a time-of-check
to time-of-use (TOCTOU) race condition in the PAN-OS web interface
that enabled an authenticated administrator with permission to upload
plugins to execute arbitrary code with root user privileges (CVE-2021-3054). |
PAN-136505 | (PA-5200 Series and PA-7000 Series firewalls
with Log Processing Cards (LPCs) only) Fixed an issue where
the log quota (Logging and Reporting Settings > Session
Log Storage > Session Log Quota) exceeded 100%. |
PAN-134390 | Fixed an issue where commits didn't complete
due to a race condition in the log receiver. |
PAN-133782 | Fixed an issue where Panorama was not accessible
via the web interface due to insufficient available disk space in
the opt/mongobuffer partition, which caused
the mongodb process to stop responding. |
PAN-130003 | Fixed an issue where the show logging-status CLI
command did not display any output on the firewall even though the
firewall was connected to Panorama and was successfully forwarding
logs. |
PAN-124956 | (VM-Series firewalls only) Fixed
an issue where packet buffer protection was not supported. |
PAN-118846 | Fixed an issue where you were unable to
locally override a user-group-mapping setting pushed from Panorama. |
PAN-116515 | Fixed an issue where IKE Gateway configurations
with different crypto profiles on the same IP address with dynamic
peers failed with the following error message: IKEv1 gateway should use the same crypto profiles configured on the same interface or local IP address. With
this fix, you are able to configure IKE Gateways with different crypto
profiles on the same IP address with dynamic peers when IKEv1 auto
mode is applied. |
PAN-108197 | Fixed an issue in a multi-tenant deployment
where, when a user-made configuration changed, the changes were
unable to be committed, and the web interface displayed the following
error message: No pending change to commit.
With this fix, users with multiple access domains will now be able
to see plugin information. |