PAN-OS 9.1.11 Addressed Issues

PAN-OS® 9.1.11 addressed issues.
Issue ID
Description
WF500-5509
(
WF-500 appliance only
) Fixed an issue where cloud inquiries were logged under the
SD-WAN
subtype.
PAN-174448
Fixed an issue where Zero-Touch Provisioning (ZTP) configuration wasn't removed after disabling it, which resulted in predefined configurations to be loaded after a reboot.
PAN-174326
A fix was made to address an OS command injection vulnerability in the PAN-OS web interface that enabled an authenticated administrator to execute arbitrary OS commands to escalate privileges (CVE-2021-3050).
PAN-173848
Fixed an issue where DNS Security web service was not reachable and retransmission did not occur.
PAN-172490
Fixed an issue on firewalls in a high availability (HA) configuration where HA-2 links continuously flapped on HSCI interfaces after upgrading to PAN-OS 8.1.19.
PAN-172464
Fixed an issue where unicast DHCP discover or request packets were silently dropped.
PAN-171290
Fixed an issue where Panorama deployed in Google Cloud Platform (GCP) failed to the renew management server DHCP IP.
PAN-171174
Console debug output was enhanced to address issues that led to a loss of SSH and web interface access.
PAN-170936
Fixed an issue where the firewall egressed offloaded frames out of order after an explicit commit (
Commit
on the firewall or
Commit All Changes
on Panorama) or an implicit comment such as an Antivirus update, Dynamic Update, or WildFire update.
Note
This issue persists for a network-related configuration and commit.
PAN-170825
Fixed an issue where, when a partial
Preview Change
job failed, a process (configd) stopped responding.
PAN-170740
Fixed an issue with the google-docs-uploading application that occurred if a Security policy rule was applied to a Security profile and traffic was decrypted.
PAN-170314
Fixed an issue where PAN-DB URL cloud updates failed because a process (devsrvr) did not fetch serial numbers, which prevented the PAN_DB URL cloud from connecting after first deployment.
PAN-170103
Fixed an issue where a process (ikemgr) stopped responding while making configuration changes. This issue occurred if Site-to-Site IPSec was using certification-based authentication.
PAN-169793
Fixed an issue where using cookies to authenticate MacOS users didn't work due to the client agent not providing the
phpsessionid
set from the sent GlobalProtect messages during the connection. As a result, the firewall was unable to find and include the portal authentication cookie in the response message.
PAN-169197
Fixed a rare issue where generating a tech support file caused the useridd process to stop responding.
PAN-169064
Fixed an issue where the management CPU remained at 100% due to a large number of configured User-ID agents.
PAN-168921
Fixed an issue in an HA active/active configuration where traffic with complete packets showed up as incomplete and were disconnected due to a non-session owner device closing the session prematurely.
PAN-167989
Fixed a timing issue between downloading and installing threads that occurred when Panorama pushed content updates and the firewall fetched content updates simultaneously.
PAN-167872
Fixed an issue related to a process (all_pktproc) that occurred in long-lived sessions that spanned two content upgrades.
PAN-167858
Fixed an issue where a DNS Security inspection identified a TCP DNS request that had two requests in one segment as a malformed packet and dropped the packet.
PAN-167805
Fixed an intermittent issue where traffic ingressing through a VPN tunnel failed to match predict session, which resulted in child sessions failing.
PAN-167637
Fixed an issue where users connecting to the US East gateway encountered a delay in DNS responses.
PAN-167266
Fixed an issue on multi-dataplane firewalls with high CPU use on dataplane 0 that caused an internal loop of forward/host sessions on the firewall.
PAN-167099
Fixed a configuration management issue that resulted in a process (ikemgr) failing to recognize changes in subsequent commits.
PAN-166836
Fixed an issue where session failed due to resource unavailability.
PAN-166572
Fixed an issue where a process (configd) restarted when browsing policies on Panorama.
PAN-166557
Fixed an issue where ElasticSearch didn't register to the masterd process when setting up a new Log Collector configuration.
PAN-166081
Fixed an issue where role based admin users with
tag
disabled were unable to view applications under
Objects
Application
.
PAN-165913
Fixed an issue on United States GlobalProtect portals where HTTP health checks failed and no authentication events occurred for about 10 minutes.
PAN-165843
Fixed an issue on the firewalls where generating SCEP Certificates did not work when the value of a Relative Distinguished Name (RDN) in the subject string contained a space.
PAN-165661
Fixed an issue in an HA active/active configuration where an administrative shutdown message was not sent to the BGP peer when the firewall went into a suspended state, which delayed convergence.
PAN-165660
Fixed an issue where, in scenarios with Fragmented Session Initiation Protocol (SIP), where the first packet arrived out of order, bypassing App-ID and Content and Threat Detection (CTD). With this fix, the out-of-order packet is transmitted after it has been queued and processed by App-ID and CTD.
PAN-165179
Fixed an issue where Panorama missed address group objects during a template configuration due to Panorama not sending the required strings for a query.
PAN-165120
Fixed an issue where the Application Command Center (ACC) did not display data when the Device Group was set with
VSYS
in its name.
PAN-165025
Fixed an issue where, when default interzone and intrazone Security policy rules were overwritten, the rules did not display hit counts.
PAN-164422
(
VM-Series firewalls only
) A fix was made to address improper access control that enabled an attacker with authenticated access to GlobalProtect portals and GlobalProtect gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon Web Services (AWS) (CVE-2021-3062).
PAN-164431
(
VM-Series firewalls only
) Fixed an issue where the firewall rebooted into maintenance mode after installing a capacity license in FIPS-CC mode.
PAN-164429
Fixed an issue where the Panorama web interface displayed an unavailable setting.
PAN-164402
A CLI command was added to immediately disable or enable restarting the syslog-ng connection during an FQDN refresh IP address change.
PAN-163800
Fixed an intermittent issue where the presence of an Anti-Spyware profile in a Security policy rule that matched DNS traffic caused DNS responses to be malformed in transit.
PAN-163695
Fixed an issue where multiple dataplane process (all_task, flow_mgmt, flow_ctrl, and pktlog_forwarding) stopped responding and caused the dataplane to restart. This issue occurred when the firewall received unexpected packets during an SSL handshake when SSL inbound inspection was configured.
PAN-162884
Fixed a rare issue where an external dynamic list (EDL) entry became corrupt due to an erroneous string being inserted while generating the list.
PAN-161618
Fixed an issue where the commit time increased after upgrading from PAN-OS 9.0 to PAN-OS 9.1.
PAN-161289
Fixed an issue where predict session didn't update the associated rules when Security policies shifted after a commit.
PAN-161218
The following CLI commands were added to enable the customer to set the dataplane utilization limit:
debug dataplane show ctd wildfire max
-
debug dataplane set ctd wildfire max <0-5000>
The default setting is the recommended value of 500; a value of 0 removes dataplane CTD limits.
PAN-161208
Fixed an issue where the
Service Route Configuration
(
Device > Setup > Services > Service Route Configuration
) was unchangeable when the web interface language was set to a language other than English.
PAN-160831
Fixed an intermittent issue where importing a new firewalls configuration into Panorama failed due to conflicting virtual system (vsys) names, even when the
Device Group Name Prefix
was used to make the name unique.
PAN-160544
Fixed an issue where a user was able to clone, edit, and commit a configuration that had been locked by another user.
PAN-160254
Fixed a memory leak issue related to a process (reportd) where memory was not freed after an ElasticSearch request.
PAN-160253
Fixed an issue where only one medium-severity system log was generated if either the EDL file wasn't updated at the remote end or the downloaded file wasn't a text file.
PAN-160150
Fixed an intermittent issue where, when a race condition occurred, a process (rasmgr) stopped responding, which caused GlobalProtect user authentication failure.
PAN-159954
Fixed an issue where scheduled configuration bundle exports via Secure Copy (SCP) displayed following error message in the system log:
Failed to export config bundle
after already displaying a
Success
message in the log.
PAN-159936
Fixed an issue where BGP routing stopped advertising a redistributed route when a similar new redistributed route was configured.
PAN-159922
Fixed an issue where, when the DNS Security feature was enabled, Linux clients experienced a delay in resolving domain names if the clients simultaneously attempted A and AAAA resolution.
PAN-159700
Fixed an issue where importing PAN-TRAPS.my to the SNMP manager caused the following error to display:
Registration failed, registration failed, because there are unreferenced definition names in the MIB file
.
PAN-159536
Fixed an issue where, when the CLI command
oscp-exclude-nonce-yes
was enabled for a certificate profile, a nonce value was still included in the Online Certificate Status Protocol (OCSP) request.
PAN-159435
Fixed an issue where SD-WAN routes weren't withdrawn after a bootup when all SD-WAN tunnels were down.
PAN-159293
Fixed an issue where the Certification Revocation List (CRL) in Distinguished Encoding Rules (DER) format incorrectly returned errors despite being able to successfully pull the CRL to verify that the syslog server certificate was still valid.
PAN-159122
Fixed an issue where, when a new tag was created, a custom application with the same name was also created.
PAN-158958
Fixed an issue where the
debug sslmgr view crl
command failed when ampersand (&) character was included in the URL for the certificate revocation list (CRL).
PAN-158654
Fixed a memory leak issue in the management server process.
PAN-158649
Fixed an issue where commits to the Prisma Access Remote networks from Panorama were failing when the management server on the cloud firewall failed to exit cleanly and reported the following error:
pan_check_cert_status(pan_crl_ocsp.c:284): sysd write failed (TIMEOUT)
PAN-158450
(
PA-3200 Series firewalls only
) Fixed an issue where, for SNMPv2-MIB:sysServices,
snmpwalk
returned the following error message:
No Such Instance currently exists at this OID
.
PAN-158439
Fixed a memory leak on the management server process on Firewall.
PAN-158372
Fixed a buffer overflow issue related to the useridd process.
PAN-158337
Fixed an issue where warnings displayed during a commit or validate when BGP peers used in an import/export rule were disabled.
PAN-158043
Fixed an issue where the firewall dropped packets due to a race condition.
PAN-157938
(
VM-Series firewalls with multiple DHCP interfaces only
) Fixed an issue where leases renewed more quickly than needed, which caused unnecessary SPF recalculations.
PAN-157835
Fixed an issue where DNS Proxy rules that contained uppercase characters were not normalized to lowercase, which prevented the rules from being matched.
PAN-157725
Fixed an issue where, when decryption was enabled, the following error was displayed:
Cannot contact reCAPTCHA. Check your connection and try again
.
PAN-157715
Fixed an intermittent issue where SMB file transfer operations failed due to packet drops that were caused by the Content and Threat Detection (CTD) queue filling up quickly. This fix introduces a new CLI command which, when enabled, prevents these failures:
set system setting ctd nonblocking-pattern-match-qsizecheck [enable|disable]
.
PAN-157710
Fixed an issue where admin users with custom roles were unable to create VLANs.
PAN-157620
(
VM-Series firewalls deployed in Amazon Web Services (AWS) instance types M5 and C5 only
) Fixed an issue where a Panorama Virtual Appliance in an HA configuration entered a suspended state due to a virtual machine (VM) memory size mismatch.
PAN-157518
Fixed an issue where using tags to target a device group in a Security policy rule did not work, and the rule was displayed in all device groups (
Preview Rules
).
PAN-157459
Fixed an issue where, after updating an address in an Address Group, a commit did not update GlobalProtect split tunnel access routes.
PAN-157089
(
Panorama appliances in Log Collector mode only
) The following CLI command was added to disable
No valid device certificate found
messages in the system log:
debug skip-cert-renewal-check-syslog yes
.
PAN-157027
Fixed an issue where, when stateless GTP-U traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation loop occurred, which caused high dataplane resource usage.
PAN-157026
Fixed an issue where the firewall did not display unified logs.
PAN-156766
Fixed an issue where, after upgrading to PAN-OS 9.1.5, VM-Series firewalls in HA configurations went into a non-functional state due to a virtual machine (VM) license mismatch.
PAN-156482
Fixed a packet buffer issue where HTTP2 packets were held for category lookup and the HTTP request was across multiple packets.
PAN-156393
Fixed an issue where NetFlow updates were sent without honoring the configured active timeout value.
PAN-156388
Fixed an issue where a process (useridd) stopped responding while attempting to remove all HIP reports on the disk.
PAN-155563
Fixed an intermittent issue where the Panorama Cloud Services plugin reported the following error for its Cortex Data Lake status:
Failed to validate server certificate for endpoint api.paloaltonetworks.com
.
PAN-154905
(
Panorama appliances on PAN-OS 10.0 releases only
) Fixed an issue with Security policy rule configuration where, in the
Source
and
Destination
tabs, the
Query Traffic
setting was not available for Address Groups.
PAN-154876
Fixed an issue where the web interface did not display
Release Date
when updating the dynamic updates manually.
PAN-153382
Fixed an issue where the per-minute resource monitor was three minutes behind.
PAN-153308
Fixed an issue that caused the mouse cursor to remove focus from the search bar when hovering over a hyperlink inside of a cell menu (e.g., source zone, source address, destination zone, destination address, etc.).
PAN-153113
Fixed an issue where the GlobalProtect gateway failed with the following error message:
gateway does not exist
.
PAN-151469
Fixed an issue where packets were dropped unexpectedly due to errors parsing the IP version field.
PAN-149911
Fixed an issue where URL filtering logs for credential phishing displayed a slash character (/) in the URL field.
PAN-149853
Fixed an issue on Panorama where the
loc
attribute was not set as
shared
when creating dynamic-address-group-specific configurations during a Panorama commit.
PAN-147684
Fixed an issue where a daemon (ikemgr) repeatedly restarted, which resulted in the firewall rebooting.
PAN-143426
Fixed a memory leak issue where a process (devsrvr) restarted due to the memory limit being exceeded.
PAN-141494
Fixed an issue with the group-mapping mode credential detection feature that failed to block users when logging in using corporate credentials.
PAN-138859
Fixed an issue on Panorama appliances where exporting or pushing a device configuration bundle to PA-5000, PA-5200, PA-7000, or PA-7000b series firewalls failed with the following error message:
Config bundle is too large to be exported to device
.
PAN-138727
A fix was made to address a time-of-check to time-of-use (TOCTOU) race condition in the PAN-OS web interface that enabled an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges (CVE-2021-3054).
PAN-136505
(
PA-5200 Series and PA-7000 Series firewalls with Log Processing Cards (LPCs) only
) Fixed an issue where the log quota (
Logging and Reporting Settings > Session Log Storage > Session Log Quota)
exceeded 100%.
PAN-134390
Fixed an issue where commits didn't complete due to a race condition in the log receiver.
PAN-133782
Fixed an issue where Panorama was not accessible via the web interface due to insufficient available disk space in the
opt/mongobuffer partition
, which caused the mongodb process to stop responding.
PAN-130003
Fixed an issue where the
show logging-status
CLI command did not display any output on the firewall even though the firewall was connected to Panorama and was successfully forwarding logs.
PAN-124956
(
VM-Series firewalls only
) Fixed an issue where packet buffer protection was not supported.
PAN-118846
Fixed an issue where you were unable to locally override a user-group-mapping setting pushed from Panorama.
PAN-116515
Fixed an issue where IKE Gateway configurations with different crypto profiles on the same IP address with dynamic peers failed with the following error message:
IKEv1 gateway should use the same crypto profiles configured on the same interface or local IP address
.
With this fix, you are able to configure IKE Gateways with different crypto profiles on the same IP address with dynamic peers when IKEv1 auto mode is applied.
PAN-108197
Fixed an issue in a multi-tenant deployment where, when a user-made configuration changed, the changes were unable to be committed, and the web interface displayed the following error message:
No pending change to commit
. With this fix, users with multiple access domains will now be able to see plugin information.

Recommended For You