PAN-OS 9.1.12 Addressed Issues

PAN-OS® 9.1.12 addressed issues.
Issue ID
Fixed an issue where commit failures occurred when an External Dynamic List (EDL) that contained many IP addresses was used in a Security policy.
A CLI command was added to set the virtual memory limit in dedicated log collectors.
Fixed an issue on firewalls in high availability configurations where a process (brdagent) stopped responding on a suspended active peer, which caused the suspended firewall to continue sending traffic.
5200-Series firewalls only
) Fixed an issue where configuration commits failed due to the dataplane running out of memory in the policy cache.
Fixed an issue with the GlobalProtect Clientless VPN where, when an application sent a negative max age value on a cookie, part of the cookie was retained by PAN-OS and used for the subsequent connection on the user session.
Fixed an issue where a process (mgmtsrvr) wasn't restarted after the virtual memory limit was exceeded.
VM-Series firewalls only
) Fixed an issue where the firewall didn't attempt to connect to a log collector when the management IP address used DHCP.
Fixed an issue where a process (mdb) stopped responding after downgrading from a PAN-OS 9.1 release to an earlier release due to discrepancies in the mongodb process version.
: To utilize this fix, first install a PAN-OS 9.0 release on the web interface, and then, prior to reboot, run the following CLI command:
debug mongo clear instance mdb
Fixed an issue where multiple operations (such as a commit or dynamic updates) failed due to a race condition in the
fallback mechanism.
Fixed an issue where the Simple Network Management Protocol (SNMP) object identifier (OID) for
did not show the correct session count.
Fixed an issue where a process (authd) process stopped responding, which caused authentication to fail.
Fixed an issue where packed-based zone protection settings (such as Strict IP Address Check) were not applied to return traffic.
Fixed an issue where SSL decryption failed for websites when they were accessed from Google Chrome version 92 or higher.
Fixed an issue where Panorama commits were slower than expected and the configd process stopped responding due to a memory leak.
Fixed an issue where, when the time-to-live (TTL) value for symmetric MAC entries weren't updated to other dataplanes and HA peers, timeouts occurred for traffic using policy-based forwarding (PBF) with symmetric returns.
Fixed an issue where scheduled customer reports displayed as empty when the configured destination was an address group.
Fixed an issue on the Panorama interface where
Deploying Master Key
to low-end devices resulted in a
Failed to communicate
message, even when the new master key was updated on the end device. This issue occurred because a master key deployment had insufficient time to process due to a connection timeout.
Fixed an issue in Panorama that occurred when attempting to
disable override
on an object from a child device group did not work after cloning and renaming the object.
Fixed an issue where SNMP readings reported as 0 for dataplane interface packet statistics for Amazon Web Services (AWS) m5n.4xlarge instance types. This issue occurred because the physical port counters read from MAC addresses were reported as 0.
Fixed an issue where the Elasticsearch process continuously restarted if zero-length files were present.
Fixed a memory leak issue related to the (useridd) process that occurred when group mapping is enabled.
Fixed an issue where a bar or point on a
Network Monitor
graph had to be clicked more than once to properly redirect to the corresponding ACC report.
Fixed an issue where exporting a device summary to CSV failed and displayed the following error message:
Error while exporting
Fixed an issue where Superuser administrators with read-only privileges (
Device > Administrators and Panorama > Administrators
) were unable to view the hardware ACL blocking setting and duration in the CLI using the following commands:
  • show system setting hardware-acl-blocking-enable
  • show system setting hardware-acl-blocking-duration
Fixed an issue with the HA1 monitor hold timer where the configured value was not assigned to the HA1 backup interface, which used the default hold timer (3000 milliseconds), which resulted in failover events taking longer than expected.
Panorama appliances in FIPS mode only
) Fixed an issue where the FIPS Panorama / FIPS firewall schema didn't prune non-FIPS options from the GlobalProtect Clientless VPN.
Fixed a memory leak issue related to the useridd process that occurred when processing IP-address-to-username mappings.
Fixed an issue on an HA active/passive configuration where old GPRS tunneling protoc0l (GTP-U) tunnel sessions did not sync to the passive firewall during some upgrades, such as upgrading from a PAN-OS 8.1 release version to a 9.0 release version or upgrading from a 9.0 release version to a 9.1 release version.
Fixed an issue in Panorama where the configd process stopped responding due to a memory issue with
memcpy bson_append
VM-Series firewalls only
) Fixed an issue where a process (all_task) stopped responding.
Fixed a memory leak issue related to the useridd process.
Fixed an issue on the Panorama web interface where custom vulnerability signature IDs weren't populated in the drop-down when creating a custom combination signature.
Fixed an issue where the internal interface flow control that caused the monitoring process to incorrectly determine the interface to be malfunctioning.
Fixed an issue where a process (configd) restarted due to memory corruption in the
show dynamic-address-group
CLI command during commits, commit and push operations, and high availability Panorama syncs.
PA-800 and PA-400 Series firewalls and PA-220 firewalls only
) Fixed an issue where the management plane CPU was incorrectly reported to be high.
Fixed an issue in active/active HA configuration where session disconnected during an upgrade from a PAN-OS 9.0 release to a PAN-OS 9.1 release.
Fixed an issue in an HA configuration where, when one firewall was active and its peer was in a suspended state, the suspended firewall continued to send traffic, which triggered the detection of duplicate MAC addresses.
Fixed a memory leak on the configd process on Panorama caused during multi-clone operations for rules.
Fixed an issue where the firewall egressed offloaded frames out of order after an explicit commit (
on the firewall or
Commit All Changes
on Panorama) or an implicit comment such as an Antivirus update, Dynamic Update, or WildFire update.
This issue persists for a network-related configuration and commit.
Fixed an issue with Content and Threat Detection where traffic patterns created a bus error, which caused the all_pktproc process to stop responding and the dataplane to restart.
Fixed an memory reference issue related to the devsrvr process that caused the process to stop responding.
Fixed an issue on firewalls with offload processors where the ECMP forced symmetric return feature didn't work for CRE traffic after the session was offloaded.
Fixed an issue where a process (authd) stopped responding due to an invalid null pointer.
Debug logs were added to troubleshoot WildFire submission issues.
Fixed an issue where, if you continuously performed partial commits of a configuration with a high number of Dynamic Address Groups, Panorama became unresponsive and commits were slower than expected.
Fixed a cosmetic issue where the WildFire submission log displayed the
of the original email link.
Fixed an issue where, even when there was active multicast traffic, the firewall sent Protocol Independent Multicast (PIM) prune messages.
Fixed an issue where the Panorama appliance didn't return inherited device group locations pertaining to Security policies for REST API queries.
Fixed an issue where Zero Touch Provisioning (ZTP) flow did not complete.
Fixed an issue where, after upgrading to 10.0.3, admin sessions on Panorama were not logged out after the idle timeout expired.
Fixed an issue where the focus was not set on the free text field when requesting a token code on the Authentication Portal.
Fixed an issue where EDNS responses dropped when the original request was DNS.
Fixed an issue with an extra character in HTTP Strict Transport Security (HSTS) regression tests when accessing the GlobalProtect gateway.
Fixed an issue with snmpv3 trap not processed by snmptrap receiver after firewall reboot.
Fixed an issue where the firewall dropped policy-based forwarding (PBF) keepalive responses.
Fixed an intermittent issue where Cortex Data Lake failed to reconnect after a disconnect if a management IP address used for logging had an IP address assignment type of DHCP.
Fixed an issue where, when there was a high volume of traffic for sessions with
Application Block Pages
enabled, other regular packets were dropped.
Fixed an issue where the firewall rebooted unexpectedly and displayed the following message:
Reboot SYSTEM REBOOT Masterd Initiated
Fixed an issue where, when the firewall received a configuration from Panorama with no URL category, it was automatically configured as
Fixed an issue where email header
fields in threat logs were truncated due to line folding in the original message.
Fixed an issue where the firewall did not honor the peer RX interval timeout in a Bidirectional Forwarding Detection (BFD) INIT state.
Fixed an issue where the
show high-availability all
output incorrectly displayed the VM-Series firewall license type on physical firewalls.
Fixed an issue when calculating the incremental checksum after a post-NAT translation where the arguments to
overflowed the 32-bit integer.
Fixed an issue where authentication via LDAP server failed in FIPS-CC mode when the LDAP server profile was configured with the root certificate chain and
Verify server certificate for SSL sessions
options enabled.
Fixed an issue where the dataplane restarted after configuring a
Fixed an issue where the email header
field in the threat logs were truncated due to line folding in the original message.
Panorama virtual appliances in Legacy mode only
) Fixed an issue where GlobalProtect logs were not forwarded to the external syslog server over TCP.
Fixed an issue where DDNS updates generated contradictory system logs, the first displaying that the update failed with critical severity and the second displaying that the update was successful.
PA-7050 firewalls only
) Fixed an issue where a process (all_pktproc) stopped responding after an upgrade.
Fixed an issue where a process (allpktproc) restarted while processing SMTP traffic.
Fixed an issue where credential detection didn't work in IP address-to-username mapping mode because the firewall compared the unnormalized IP-address-to-username mapping format to the normalized username extracted from the payload where the username and password were submitted.
Fixed an issue where a process (mgmtsrvr) stopped responding when a license fetch operation was performed.
Fixed an issue where DNS security wasn't triggered when the DNS Security profile was incorrectly internally duplicated to a null DNS Security profile.
Fixed an issue where using the ampersand (&) character in URLs submitted via XML API caused an error.
Fixed an issue where the firewall dropped TCP FIN traffic due to the server-to-client FIN traffic being out of order.
Fixed an issue where the firewall did not translate IP addresses in Layer 7 payloads as per NAT translation for Oracle Application Server traffic.
Fixed an issue where lookup of a security rule with a custom URL category on a multi-virtual system (vsys) failed when
was not in the beginning the category name.
Fixed an issue where the user was able to bypass URL credential phishing by changing the username from lower case to upper case.
Firewalls in HA configurations only
) Fixed an issue where connections to the SafeNet hardware security module (HSM) were lost after upgrading to a new major PAN-OS release.
Fixed an issue where an application's domain name didn't resolve if the cache was disabled on the DNS Proxy object being used in the GlobalProtect Clientless VPN.
PA-3200 Series firewalls only
) Fixed an issue where the firewall stopped recording dataplane diagnostic data in dp-monitor.log after a few hours of uptime.
PA-7000 Series firewalls only
) Fixed an issue where some slots in the firewall did not get registered as up in a process (useridd), which caused the process to ignore IP address-to-user mappings to those slots.
Fixed an issue where the output of the CLI command
show running resource-monitor ingress-backlogs
displayed an incorrect total utilization value.
Fixed an issue where Windows-1252 encoded filenames triggered an Unknown Binary File (52081) type signature.
Fixed an intermittent issue on the web interface where new threat IDs did not appear under
settings (
Objects > Security Profiles > Anti-Spyware > Exceptions
Objects > Security Profiles > Vulnerability Protection > Exceptions
Fixed an issue where connection collisions occurred between BGP peers.
PA-3200 Series firewalls only
) Fixed an issue where packets with a specific MAC address were misinterpreted as 802.1QA tunneled packets, which resulted in incorrect VLAN tags that caused the packets to be dropped.
Fixed an issue where ECMP
did not work with IPSec.
PA-5200 Series firewalls only
) Fixed an issue where a process (
) stopped responding, which caused the management plane to stop responding.
Fixed an issue where an escape ( \ ) character was added to HTTP logs when a log contained a comma.

Recommended For You