PAN-OS 9.1.12 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 9.1.12 Addressed Issues
PAN-OS® 9.1.12 addressed issues.
Issue ID | Description |
---|---|
PAN-181076 | Fixed an issue where commit failures occurred
when an External Dynamic List (EDL) that contained many IP addresses
was used in a Security policy. |
PAN-179750 | A CLI command was added to set the virtual
memory limit in dedicated log collectors. |
PAN-179581 | Fixed an issue on firewalls in high availability
configurations where a process (brdagent) stopped responding
on a suspended active peer, which caused the suspended firewall
to continue sending traffic. |
PAN-179356 | (5200-Series firewalls only) Fixed
an issue where configuration commits failed due to the dataplane
running out of memory in the policy cache. |
PAN-178953 | Fixed an issue with the GlobalProtect Clientless
VPN where, when an application sent a negative max age value on
a cookie, part of the cookie was retained by PAN-OS and used for
the subsequent connection on the user session. |
PAN-178363 | Fixed an issue where a process (mgmtsrvr) wasn't
restarted after the virtual memory limit was exceeded. |
PAN-176862 | (VM-Series firewalls only) Fixed
an issue where the firewall didn't attempt to connect to a log collector
when the management IP address used DHCP. |
PAN-176461 | Fixed an issue where a process (mdb)
stopped responding after downgrading from a PAN-OS 9.1 release to
an earlier release due to discrepancies in the mongodb process version. Note:
To utilize this fix, first install a PAN-OS 9.0 release on the web
interface, and then, prior to reboot, run the following CLI command: debug mongo clear instance mdb. |
PAN-176364 | Fixed an issue where multiple operations
(such as a commit or dynamic updates) failed due to a race condition
in the cryptod fallback mechanism. |
PAN-176131 | Fixed an issue where the Simple Network
Management Protocol (SNMP) object identifier (OID) for panSessionCps did
not show the correct session count. |
PAN-176032 | Fixed an issue where a process (authd)
process stopped responding, which caused authentication to fail. |
PAN-175934 | Fixed an issue where packed-based zone protection
settings (such as Strict IP Address Check) were not applied to return
traffic. |
PAN-175652 | Fixed an issue where SSL decryption failed
for websites when they were accessed from Google Chrome version
92 or higher. |
PAN-175307 | Fixed an issue where Panorama commits were
slower than expected and the configd process stopped
responding due to a memory leak. |
PAN-174894 | Fixed an issue where, when the time-to-live
(TTL) value for symmetric MAC entries weren't updated to other dataplanes
and HA peers, timeouts occurred for traffic using policy-based forwarding
(PBF) with symmetric returns. |
PAN-174886 | Fixed an issue where scheduled customer
reports displayed as empty when the configured destination was an
address group. |
PAN-174864 | Fixed an issue on the Panorama interface
where Deploying Master Key to low-end devices resulted
in a Failed to communicate message, even
when the new master key was updated on the end device. This issue
occurred because a master key deployment had insufficient time to
process due to a connection timeout. |
PAN-174161 | Fixed an issue in Panorama that occurred
when attempting to disable override on an
object from a child device group did not work after cloning and
renaming the object. |
PAN-174055 | Fixed an issue where SNMP readings reported
as 0 for dataplane interface packet statistics for Amazon Web Services
(AWS) m5n.4xlarge instance types. This issue occurred because the
physical port counters read from MAC addresses were reported as
0. |
PAN-173978 | Fixed an issue where the Elasticsearch process
continuously restarted if zero-length files were present. |
PAN-173893 | Fixed a memory leak issue related to the (useridd)
process that occurred when group mapping is enabled. |
PAN-173753 | Fixed an issue where a bar or point on a Network Monitor graph
had to be clicked more than once to properly redirect to the corresponding
ACC report. |
PAN-173545 | Fixed an issue where exporting a device
summary to CSV failed and displayed the following error message: Error while exporting. |
PAN-173509 | Fixed an issue where Superuser administrators
with read-only privileges (Device > Administrators and
Panorama > Administrators) were unable to view the hardware
ACL blocking setting and duration in the CLI using the following commands:
|
PAN-173157 | Fixed an issue with the HA1 monitor hold
timer where the configured value was not assigned to the HA1 backup
interface, which used the default hold timer (3000 milliseconds),
which resulted in failover events taking longer than expected. |
PAN-173076 | (Panorama appliances in FIPS mode only)
Fixed an issue where the FIPS Panorama / FIPS firewall schema didn't
prune non-FIPS options from the GlobalProtect Clientless VPN. |
PAN-172834 | Fixed a memory leak issue related to the useridd process
that occurred when processing IP-address-to-username mappings. |
PAN-172783 | Fixed an issue on an HA active/passive configuration
where old GPRS tunneling protoc0l (GTP-U) tunnel sessions did not
sync to the passive firewall during some upgrades, such as upgrading
from a PAN-OS 8.1 release version to a 9.0 release version or upgrading
from a 9.0 release version to a 9.1 release version. |
PAN-172775 | Fixed an issue in Panorama where the configd process
stopped responding due to a memory issue with memcpy bson_append. |
PAN-172748 | (VM-Series firewalls only) Fixed
an issue where a process (all_task) stopped responding. |
PAN-172396 | Fixed a memory leak issue related to the useridd process. |
PAN-172324 | Fixed an issue on the Panorama web interface
where custom vulnerability signature IDs weren't populated in the
drop-down when creating a custom combination signature. |
PAN-172316 | Fixed an issue where the internal interface
flow control that caused the monitoring process to incorrectly determine
the interface to be malfunctioning. |
PAN-172200 | Fixed an issue where a process (configd) restarted
due to memory corruption in the show dynamic-address-group CLI
command during commits, commit and push operations, and high availability
Panorama syncs. |
PAN-171696 | (PA-800 and PA-400 Series firewalls
and PA-220 firewalls only) Fixed an issue where the management
plane CPU was incorrectly reported to be high. |
PAN-171367 | Fixed an issue in active/active HA configuration
where session disconnected during an upgrade from a PAN-OS 9.0 release
to a PAN-OS 9.1 release. |
PAN-171203 | Fixed an issue in an HA configuration where,
when one firewall was active and its peer was in a suspended state,
the suspended firewall continued to send traffic, which triggered
the detection of duplicate MAC addresses. |
PAN-171159 | Fixed a memory leak on the configd process
on Panorama caused during multi-clone operations for rules. |
PAN-170936 | Fixed an issue where the firewall egressed
offloaded frames out of order after an explicit commit (Commit on
the firewall or Commit All Changes on Panorama) or
an implicit comment such as an Antivirus update, Dynamic Update,
or WildFire update. Note This issue
persists for a network-related configuration and commit. |
PAN-170595 | Fixed an issue with Content and Threat Detection
where traffic patterns created a bus error, which caused the all_pktproc process
to stop responding and the dataplane to restart. |
PAN-170466 | Fixed an memory reference issue related
to the devsrvr process that caused the process to stop responding. |
PAN-169899 | Fixed an issue on firewalls with offload
processors where the ECMP forced symmetric return feature didn't
work for CRE traffic after the session was offloaded. |
PAN-169347 | Fixed an issue where a process (authd)
stopped responding due to an invalid null pointer. |
PAN-169300 | Debug logs were added to troubleshoot WildFire
submission issues. |
PAN-169173 | Fixed an issue where, if you continuously
performed partial commits of a configuration with a high number
of Dynamic Address Groups, Panorama became unresponsive and commits
were slower than expected. |
PAN-168261 | Fixed a cosmetic issue where the WildFire
submission log displayed the sha256 of
the original email link. |
PAN-168189 | Fixed an issue where, even when there was
active multicast traffic, the firewall sent Protocol Independent
Multicast (PIM) prune messages. |
PAN-167560 | Fixed an issue where the Panorama appliance
didn't return inherited device group locations pertaining to Security
policies for REST API queries. |
PAN-167329 | Fixed an issue where Zero Touch Provisioning
(ZTP) flow did not complete. |
PAN-167115 | Fixed an issue where, after upgrading to
10.0.3, admin sessions on Panorama were not logged out after the
idle timeout expired. |
PAN-167087 | Fixed an issue where the focus was not set
on the free text field when requesting a token code on the Authentication
Portal. |
PAN-166686 | Fixed an issue where EDNS responses dropped
when the original request was DNS. |
PAN-166202 | Fixed an issue with an extra character in
HTTP Strict Transport Security (HSTS) regression tests when accessing
the GlobalProtect gateway. |
PAN-166180 | Fixed an issue with snmpv3 trap not processed
by snmptrap receiver after firewall reboot. |
PAN-166091 | Fixed an issue where the firewall dropped
policy-based forwarding (PBF) keepalive responses. |
PAN-165433 | Fixed an intermittent issue where Cortex
Data Lake failed to reconnect after a disconnect if a management
IP address used for logging had an IP address assignment type of
DHCP. |
PAN-165147 | Fixed an issue where, when there was a high
volume of traffic for sessions with Application Block
Pages enabled, other regular packets were dropped. |
PAN-162374 | Fixed an issue where the firewall rebooted
unexpectedly and displayed the following message: Reboot SYSTEM REBOOT Masterd Initiated. |
PAN-162174 | Fixed an issue where, when the firewall
received a configuration from Panorama with no URL category, it
was automatically configured as Any. |
PAN-161964 | Fixed an issue where email header from fields
in threat logs were truncated due to line folding in the original
message. |
PAN-161940 | Fixed an issue where the firewall did not
honor the peer RX interval timeout in a Bidirectional Forwarding
Detection (BFD) INIT state. |
PAN-161726 | Fixed an issue where the show high-availability all output
incorrectly displayed the VM-Series firewall license type on physical
firewalls. |
PAN-161496 | Fixed an issue when calculating the incremental
checksum after a post-NAT translation where the arguments to pan_in_cksm32_diff overflowed
the 32-bit integer. |
PAN-161031 | Fixed an issue where authentication via
LDAP server failed in FIPS-CC mode when the LDAP server profile
was configured with the root certificate chain and Verify
server certificate for SSL sessions options enabled. |
PAN-160708 | Fixed an issue where the dataplane restarted
after configuring a deny_all policy. |
PAN-158931 | Fixed an issue where the email header subject field
in the threat logs were truncated due to line folding in the original
message. |
PAN-158753 | (Panorama virtual appliances in Legacy
mode only) Fixed an issue where GlobalProtect logs were not
forwarded to the external syslog server over TCP. |
PAN-158056 | Fixed an issue where DDNS updates generated
contradictory system logs, the first displaying that the update
failed with critical severity and the second displaying that the
update was successful. |
PAN-157365 | (PA-7050 firewalls only) Fixed
an issue where a process (all_pktproc) stopped responding
after an upgrade. |
PAN-156478 | Fixed an issue where a process (allpktproc) restarted
while processing SMTP traffic. |
PAN-155448 | Fixed an issue where credential detection
didn't work in IP address-to-username mapping mode because the firewall
compared the unnormalized IP-address-to-username mapping format
to the normalized username extracted from the payload where the
username and password were submitted. |
PAN-154305 | Fixed an issue where a process (mgmtsrvr) stopped
responding when a license fetch operation was performed. |
PAN-153527 | Fixed an issue where DNS security wasn't
triggered when the DNS Security profile was incorrectly internally
duplicated to a null DNS Security profile. |
PAN-151264 | Fixed an issue where using the ampersand
(&) character in URLs submitted via XML API caused an error. |
PAN-150848 | Fixed an issue where the firewall dropped
TCP FIN traffic due to the server-to-client FIN traffic being out
of order. |
PAN-150445 | Fixed an issue where the firewall did not
translate IP addresses in Layer 7 payloads as per NAT translation
for Oracle Application Server traffic. |
PAN-149314 | Fixed an issue where lookup of a security
rule with a custom URL category on a multi-virtual system (vsys)
failed when vsys<id>+ was not in
the beginning the category name. |
PAN-148554 | Fixed an issue where the user was able to
bypass URL credential phishing by changing the username from lower
case to upper case. |
PAN-147256 | (Firewalls in HA configurations only)
Fixed an issue where connections to the SafeNet hardware security
module (HSM) were lost after upgrading to a new major PAN-OS release. |
PAN-147228 | Fixed an issue where an application's domain
name didn't resolve if the cache was disabled on the DNS Proxy object
being used in the GlobalProtect Clientless VPN. |
PAN-145833 | (PA-3200 Series firewalls only)
Fixed an issue where the firewall stopped recording dataplane diagnostic
data in dp-monitor.log after a few hours of uptime. |
PAN-144340 | (PA-7000 Series firewalls only)
Fixed an issue where some slots in the firewall did not get registered
as up in a process (useridd), which caused the process
to ignore IP address-to-user mappings to those slots. |
PAN-141454 | Fixed an issue where the output of the CLI
command show running resource-monitor ingress-backlogs displayed
an incorrect total utilization value. |
PAN-141037 | Fixed an issue where Windows-1252 encoded
filenames triggered an Unknown Binary File (52081) type signature. |
PAN-129147 | Fixed an intermittent issue on the web interface
where new threat IDs did not appear under Exception settings (Objects
> Security Profiles > Anti-Spyware > Exceptions or Objects
> Security Profiles > Vulnerability Protection > Exceptions). |
PAN-128590 | Fixed an issue where connection collisions
occurred between BGP peers. |
PAN-123935 | (PA-3200 Series firewalls only)
Fixed an issue where packets with a specific MAC address were misinterpreted
as 802.1QA tunneled packets, which resulted in incorrect VLAN tags
that caused the packets to be dropped. |
PAN-119198 | Fixed an issue where ECMP strict-source-path did
not work with IPSec. |
PAN-113046 | (PA-5200 Series firewalls only)
Fixed an issue where a process (brdagent) stopped responding,
which caused the management plane to stop responding. |
PAN-112674 | Fixed an issue where an escape ( \ ) character
was added to HTTP logs when a log contained a comma. |