PAN-OS 9.1.14 Addressed Issues
Focus
Focus

PAN-OS 9.1.14 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 9.1.14 Addressed Issues

PAN-OS® 9.1.14 addressed issues.
Issue ID
Description
PAN-189665
(FIPS-CC enabled firewalls only) Fixed an issue where the firewall was unable to connect to log collectors after an upgrade due to missing cipher suites.
PAN-189468
Fixed an issue where the firewall onboard packet processor used by the PAN-OS content-inspection (CTD) engine can generate high dataplane resource usage when overwhelmed by a session with an unusually high number of packets. This can result in resource-unavailable messages due to the content inspection queue filling up. Factors related to the likelihood of an occurrence include enablement of content-inspection based features that are configured in such a way that might process thousands of packets in rapid succession (such as SMB file transfers). This can cause poor performance for the affected session and other sessions using the same packet processor. PA-3000 series and VM-Series firewalls are not impacted.
PAN-189010
Fixed an issue on Panorama where a deadlock in the configd process caused both the web interface and the CLI to be inaccessible.
PAN-188336
Fixed an issue with the dnsproxyd process that caused the firewall to unexpectedly reboot.
PAN-187151
Fixed an issue where tunnel-monitoring interface was incorrectly shown as up instead of down.
PAN-186937
Fixed an issue where the firewall dropped packets decrypted using the SSL Decryption feature and Encapsulating Security Payload (ESP) IPSec packets that originated from the same firewall. This occurred when Strict IP Address Check was enabled in the zone protection profile (Packet Based Attack > IP Drop) and the packet's source IP address was the same as the egress interface address.
PAN-185616
Fixed an issue where the firewall sent fewer logs to the system log server than expected. With this fix, the firewall accommodates a larger send queue for syslog forwarding to TCP syslog receivers.
PAN-184621
Fixed an issue on FIPS-enabled devices where modifying any configuration of an existing GlobalProtect portal failed with the following error message: Operation failed : Malformed request.
PAN-184068
(PA-5220 firewalls only) Fixed an issue where the firewall generated pause frames, which caused network latency.
PAN-183826
Fixed an issue where, after clicking WildFire Analysis Report, the web interface failed to display the report with the following error message: refused to connect.
PAN-183788
Fixed an issue with SCEP certificate enrollment where the incorrect Registration Authority (RA) certificate was chosen to encrypt the enrollment request.
PAN-182173
(Panorama appliances in HA configurations only) Fixed an issue where, when using Prisma Access multitenancy, the passive appliance didn't correctly update the tenant information after the tenant was deleted on the active appliance.
PAN-181039
Fixed an issue with DNS cache depletion that caused continuous DNS retries.
PAN-180147
Fixed an issue where the bcm.log and brdagent_stdout.log-<datestamp> files filled up the root disk space.
PAN-177671
Fixed an issue where, when SIP traffic traversing the firewall was sent with a high Quality of Service (QoS) differentiated service code (DSCP) value, the DSCP value was reset to the default setting (CS0) for the first data packet.
PAN-177063
Fixed an issue where decrypting large packets introduced congestion during content inspection, which caused processes to stop responding due to missed heartbeats.
PAN-177133
(Firewalls in HA configurations only) Fixed an issue where the HA1 heartbeat backup flapped with the following error message: Unable to send icmp packet:(errno: 105) No buffer space available.
PAN-176703
Fixed an issue that occurred after upgrading to a PAN-OS 9.0 or later release where commits to the firewall configuration failed with the following error message: statistics-service is invalid.
PAN-176437
(PA-3200 Series firewalls only) Fixed an issue where multiple processes stopped responding, which caused the firewall to reboot.
PAN-175883
Fixed an issue where the following operational mode commands were not reboot persistent:
  • set system setting ctd pkt-proc-loop-low <value>
  • set system setting ctd pkt-proc-loop-high <value>
  • set system setting ctd max-sess-hash-limit <value>
PAN-175509
Fixed an issue where a deadlock on CONFIG_LOCK caused both the web interface and CLI commands to time out until the mgmtsrvr process was restarted.
PAN-175161
Fixed an issue where changing SSL connection validation settings for system logs caused the mgmtsrvr process to stop responding.
PAN-175016
Fixed an issue where PDF summary reports were empty when they were generated by a user in a custom admin role.
PAN-174998
(M-200 and M-500 appliances only) Fixed a capacity issue that was caused by high operational activity and large configurations. This fix increases the virtual memory limit on the configd process to 32GB.
PAN-174988
(PA-220 Series firewalls only) Fixed an issue where the `runtime-state` parameter was missing in the CLI command `request high-availability sync-to-remote`.
PAN-172766
Fixed an issue on Panorama where a commit push to managed firewalls failed with sctp-init is invalid error even though SCTP settings were not configured in the corresponding template.
PAN-171104
Fixed an issue where a race-condition check returned a false negative, which caused a process (all_task) to stop responding and generate a core file.
PAN-166368
Fixed an issue on Panorama where long FQDN queries did not resolve due to the character limit being 64 characters.
PAN-163245
Fixed an issue where a commit-all or push to the firewall from Panorama failed with the following error message: client routed requesting last config in the middle of a commit/validate. Aborting current commit/validate.
PAN-162047
(Firewalls in active/passive high availability configurations only) Fixed a routing table mis-sync issue where routes were missing on the passive firewall when GRE tunnels with keepalives were configured.
PAN-152026
Fixed an issue where the session browser did not display results when filtered for IPv6 addresses with more than 31 characters.
PAN-130172
Fixed an issue where Dynamic User Group lists were missing after disabling group-mapping configurations under that virtual system (vsys).