PAN-OS 9.1.11 Addressed Issues

PAN-OS® 9.1.11 addressed issues.
Issue ID
WF-500 appliance only
) Fixed an issue where cloud inquiries were logged under the
Fixed an issue where Zero-Touch Provisioning (ZTP) configuration wasn't removed after disabling it, which resulted in predefined configurations to be loaded after a reboot.
A fix was made to address an OS command injection vulnerability in the PAN-OS web interface that enabled an authenticated administrator to execute arbitrary OS commands to escalate privileges (CVE-2021-3050).
Fixed an issue where DNS Security web service was not reachable and retransmission did not occur.
Fixed an issue on firewalls in a high availability (HA) configuration where HA-2 links continuously flapped on HSCI interfaces after upgrading to PAN-OS 8.1.19.
Fixed an issue where unicast DHCP discover or request packets were silently dropped.
Fixed an issue where Panorama deployed in Google Cloud Platform (GCP) failed to the renew management server DHCP IP.
Console debug output was enhanced to address issues that led to a loss of SSH and web interface access.
Fixed an issue where the firewall egressed offloaded frames out of order after an explicit commit (
on the firewall or
Commit All Changes
on Panorama) or an implicit comment such as an Antivirus update, Dynamic Update, or WildFire update.
This issue persists for a network-related configuration and commit.
Fixed an issue where, when a partial
Preview Change
job failed, a process (configd) stopped responding.
Fixed an issue with the google-docs-uploading application that occurred if a Security policy rule was applied to a Security profile and traffic was decrypted.
Fixed an issue where PAN-DB URL cloud updates failed because a process (devsrvr) did not fetch serial numbers, which prevented the PAN_DB URL cloud from connecting after first deployment.
Fixed an issue where a process (ikemgr) stopped responding while making configuration changes. This issue occurred if Site-to-Site IPSec was using certification-based authentication.
Fixed an issue where using cookies to authenticate MacOS users didn't work due to the client agent not providing the
set from the sent GlobalProtect messages during the connection. As a result, the firewall was unable to find and include the portal authentication cookie in the response message.
Fixed a rare issue where generating a tech support file caused the useridd process to stop responding.
Fixed an issue where the management CPU remained at 100% due to a large number of configured User-ID agents.
Fixed an issue in an HA active/active configuration where traffic with complete packets showed up as incomplete and were disconnected due to a non-session owner device closing the session prematurely.
Fixed a timing issue between downloading and installing threads that occurred when Panorama pushed content updates and the firewall fetched content updates simultaneously.
Fixed an issue related to a process (all_pktproc) that occurred in long-lived sessions that spanned two content upgrades.
Fixed an issue where a DNS Security inspection identified a TCP DNS request that had two requests in one segment as a malformed packet and dropped the packet.
Fixed an intermittent issue where traffic ingressing through a VPN tunnel failed to match predict session, which resulted in child sessions failing.
Fixed an issue where users connecting to the US East gateway encountered a delay in DNS responses.
Fixed an issue on multi-dataplane firewalls with high CPU use on dataplane 0 that caused an internal loop of forward/host sessions on the firewall.
Fixed a configuration management issue that resulted in a process (ikemgr) failing to recognize changes in subsequent commits.
Fixed an issue where session failed due to resource unavailability.
Fixed an issue where a process (configd) restarted when browsing policies on Panorama.
Fixed an issue where ElasticSearch didn't register to the masterd process when setting up a new Log Collector configuration.
Fixed an issue where role based admin users with
disabled were unable to view applications under
Fixed an issue on United States GlobalProtect portals where HTTP health checks failed and no authentication events occurred for about 10 minutes.
Fixed an issue on the firewalls where generating SCEP Certificates did not work when the value of a Relative Distinguished Name (RDN) in the subject string contained a space.
Fixed an issue in an HA active/active configuration where an administrative shutdown message was not sent to the BGP peer when the firewall went into a suspended state, which delayed convergence.
Fixed an issue where, in scenarios with Fragmented Session Initiation Protocol (SIP), where the first packet arrived out of order, bypassing App-ID and Content and Threat Detection (CTD). With this fix, the out-of-order packet is transmitted after it has been queued and processed by App-ID and CTD.
Fixed an issue where Panorama missed address group objects during a template configuration due to Panorama not sending the required strings for a query.
Fixed an issue where the Application Command Center (ACC) did not display data when the Device Group was set with
in its name.
Fixed an issue where, when default interzone and intrazone Security policy rules were overwritten, the rules did not display hit counts.
VM-Series firewalls only
) A fix was made to address improper access control that enabled an attacker with authenticated access to GlobalProtect portals and GlobalProtect gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon Web Services (AWS) (CVE-2021-3062).
VM-Series firewalls only
) Fixed an issue where the firewall rebooted into maintenance mode after installing a capacity license in FIPS-CC mode.
Fixed an issue where the Panorama web interface displayed an unavailable setting.
A CLI command was added to immediately disable or enable restarting the syslog-ng connection during an FQDN refresh IP address change.
Fixed an intermittent issue where the presence of an Anti-Spyware profile in a Security policy rule that matched DNS traffic caused DNS responses to be malformed in transit.
Fixed an issue where multiple dataplane process (all_task, flow_mgmt, flow_ctrl, and pktlog_forwarding) stopped responding and caused the dataplane to restart. This issue occurred when the firewall received unexpected packets during an SSL handshake when SSL inbound inspection was configured.
Fixed a rare issue where an external dynamic list (EDL) entry became corrupt due to an erroneous string being inserted while generating the list.
Fixed an issue where the commit time increased after upgrading from PAN-OS 9.0 to PAN-OS 9.1.
Fixed an issue where predict session didn't update the associated rules when Security policies shifted after a commit.
The following CLI commands were added to enable the customer to set the dataplane utilization limit:
debug dataplane show ctd wildfire max
debug dataplane set ctd wildfire max <0-5000>
The default setting is the recommended value of 500; a value of 0 removes dataplane CTD limits.
Fixed an issue where the
Service Route Configuration
Device > Setup > Services > Service Route Configuration
) was unchangeable when the web interface language was set to a language other than English.
Fixed an intermittent issue where importing a new firewalls configuration into Panorama failed due to conflicting virtual system (vsys) names, even when the
Device Group Name Prefix
was used to make the name unique.
Fixed an issue where a user was able to clone, edit, and commit a configuration that had been locked by another user.
Fixed a memory leak issue related to a process (reportd) where memory was not freed after an ElasticSearch request.
Fixed an issue where only one medium-severity system log was generated if either the EDL file wasn't updated at the remote end or the downloaded file wasn't a text file.
Fixed an intermittent issue where, when a race condition occurred, a process (rasmgr) stopped responding, which caused GlobalProtect user authentication failure.
Fixed an issue where scheduled configuration bundle exports via Secure Copy (SCP) displayed following error message in the system log:
Failed to export config bundle
after already displaying a
message in the log.
Fixed an issue where BGP routing stopped advertising a redistributed route when a similar new redistributed route was configured.
Fixed an issue where, when the DNS Security feature was enabled, Linux clients experienced a delay in resolving domain names if the clients simultaneously attempted A and AAAA resolution.
Fixed an issue where importing to the SNMP manager caused the following error to display:
Registration failed, registration failed, because there are unreferenced definition names in the MIB file
Fixed an issue where, when the CLI command
was enabled for a certificate profile, a nonce value was still included in the Online Certificate Status Protocol (OCSP) request.
Fixed an issue where SD-WAN routes weren't withdrawn after a bootup when all SD-WAN tunnels were down.
Fixed an issue where the Certification Revocation List (CRL) in Distinguished Encoding Rules (DER) format incorrectly returned errors despite being able to successfully pull the CRL to verify that the syslog server certificate was still valid.
Fixed an issue where, when a new tag was created, a custom application with the same name was also created.
Fixed an issue where the
debug sslmgr view crl
command failed when ampersand (&) character was included in the URL for the certificate revocation list (CRL).
Fixed a memory leak issue in the management server process.
Fixed an issue where commits to the Prisma Access Remote networks from Panorama were failing when the management server on the cloud firewall failed to exit cleanly and reported the following error:
pan_check_cert_status(pan_crl_ocsp.c:284): sysd write failed (TIMEOUT)
PA-3200 Series firewalls only
) Fixed an issue where, for SNMPv2-MIB:sysServices,
returned the following error message:
No Such Instance currently exists at this OID
Fixed a memory leak on the management server process on Firewall.
Fixed a buffer overflow issue related to the useridd process.
Fixed an issue where warnings displayed during a commit or validate when BGP peers used in an import/export rule were disabled.
Fixed an issue where the firewall dropped packets due to a race condition.
VM-Series firewalls with multiple DHCP interfaces only
) Fixed an issue where leases renewed more quickly than needed, which caused unnecessary SPF recalculations.
Fixed an issue where DNS Proxy rules that contained uppercase characters were not normalized to lowercase, which prevented the rules from being matched.
Fixed an issue where, when decryption was enabled, the following error was displayed:
Cannot contact reCAPTCHA. Check your connection and try again
Fixed an intermittent issue where SMB file transfer operations failed due to packet drops that were caused by the Content and Threat Detection (CTD) queue filling up quickly. This fix introduces a new CLI command which, when enabled, prevents these failures:
set system setting ctd nonblocking-pattern-match-qsizecheck [enable|disable]
Fixed an issue where admin users with custom roles were unable to create VLANs.
VM-Series firewalls deployed in Amazon Web Services (AWS) instance types M5 and C5 only
) Fixed an issue where a Panorama Virtual Appliance in an HA configuration entered a suspended state due to a virtual machine (VM) memory size mismatch.
Fixed an issue where using tags to target a device group in a Security policy rule did not work, and the rule was displayed in all device groups (
Preview Rules
Fixed an issue where, after updating an address in an Address Group, a commit did not update GlobalProtect split tunnel access routes.
Panorama appliances in Log Collector mode only
) The following CLI command was added to disable
No valid device certificate found
messages in the system log:
debug skip-cert-renewal-check-syslog yes
Fixed an issue where, when stateless GTP-U traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation loop occurred, which caused high dataplane resource usage.
Fixed an issue where the firewall did not display unified logs.
Fixed an issue where, after upgrading to PAN-OS 9.1.5, VM-Series firewalls in HA configurations went into a non-functional state due to a virtual machine (VM) license mismatch.
Fixed a packet buffer issue where HTTP2 packets were held for category lookup and the HTTP request was across multiple packets.
Fixed an issue where NetFlow updates were sent without honoring the configured active timeout value.
Fixed an issue where a process (useridd) stopped responding while attempting to remove all HIP reports on the disk.
Fixed an intermittent issue where the Panorama Cloud Services plugin reported the following error for its Cortex Data Lake status:
Failed to validate server certificate for endpoint
Panorama appliances on PAN-OS 10.0 releases only
) Fixed an issue with Security policy rule configuration where, in the
tabs, the
Query Traffic
setting was not available for Address Groups.
Fixed an issue where the web interface did not display
Release Date
when updating the dynamic updates manually.
Fixed an issue where the per-minute resource monitor was three minutes behind.
Fixed an issue that caused the mouse cursor to remove focus from the search bar when hovering over a hyperlink inside of a cell menu (e.g., source zone, source address, destination zone, destination address, etc.).
Fixed an issue where the GlobalProtect gateway failed with the following error message:
gateway does not exist
Fixed an issue where packets were dropped unexpectedly due to errors parsing the IP version field.
Fixed an issue where URL filtering logs for credential phishing displayed a slash character (/) in the URL field.
Fixed an issue on Panorama where the
attribute was not set as
when creating dynamic-address-group-specific configurations during a Panorama commit.
Fixed an issue where a daemon (ikemgr) repeatedly restarted, which resulted in the firewall rebooting.
Fixed a memory leak issue where a process (devsrvr) restarted due to the memory limit being exceeded.
Fixed an issue with the group-mapping mode credential detection feature that failed to block users when logging in using corporate credentials.
Fixed an issue on Panorama appliances where exporting or pushing a device configuration bundle to PA-5000, PA-5200, PA-7000, or PA-7000b series firewalls failed with the following error message:
Config bundle is too large to be exported to device
A fix was made to address a time-of-check to time-of-use (TOCTOU) race condition in the PAN-OS web interface that enabled an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges (CVE-2021-3054).
PA-5200 Series and PA-7000 Series firewalls with Log Processing Cards (LPCs) only
) Fixed an issue where the log quota (
Logging and Reporting Settings > Session Log Storage > Session Log Quota)
exceeded 100%.
Fixed an issue where commits didn't complete due to a race condition in the log receiver.
Fixed an issue where Panorama was not accessible via the web interface due to insufficient available disk space in the
opt/mongobuffer partition
, which caused the mongodb process to stop responding.
Fixed an issue where the
show logging-status
CLI command did not display any output on the firewall even though the firewall was connected to Panorama and was successfully forwarding logs.
VM-Series firewalls only
) Fixed an issue where packet buffer protection was not supported.
Fixed an issue where you were unable to locally override a user-group-mapping setting pushed from Panorama.
Fixed an issue where IKE Gateway configurations with different crypto profiles on the same IP address with dynamic peers failed with the following error message:
IKEv1 gateway should use the same crypto profiles configured on the same interface or local IP address
With this fix, you are able to configure IKE Gateways with different crypto profiles on the same IP address with dynamic peers when IKEv1 auto mode is applied.
Fixed an issue in a multi-tenant deployment where, when a user-made configuration changed, the changes were unable to be committed, and the web interface displayed the following error message:
No pending change to commit
. With this fix, users with multiple access domains will now be able to see plugin information.

Recommended For You