PAN-OS 9.1.14 Addressed Issues

PAN-OS® 9.1.14 addressed issues.
Issue ID
FIPS-CC enabled firewalls only
) Fixed an issue where the firewall was unable to connect to log collectors after an upgrade due to missing cipher suites.
Fixed an issue where sessions were dropped with the message
due to the content inspection queue filling up.
Fixed an issue on Panorama where a deadlock in the configd process caused both the web interface and the CLI to be inaccessible.
Fixed an issue with the dnsproxyd process that caused the firewall to unexpectedly reboot.
Fixed an issue where tunnel-monitoring interface was incorrectly shown as up instead of down.
Fixed an issue where the firewall dropped packets decrypted using the SSL Decryption feature and Encapsulating Security Payload (ESP) IPSec packets that originated from the same firewall. This occurred when
Strict IP Address Check
was enabled in the zone protection profile (
Packet Based Attack > IP Drop
) and the packet's source IP address was the same as the egress interface address.
Fixed an issue where the firewall sent fewer logs to the system log server than expected. With this fix, the firewall accommodates a larger send queue for syslog forwarding to TCP syslog receivers.
Fixed an issue on FIPS-enabled devices where modifying any configuration of an existing GlobalProtect portal failed with the following error message:
Operation failed : Malformed request
PA-5220 firewalls only
) Fixed an issue where the firewall generated pause frames, which caused network latency.
Fixed an issue where, after clicking
WildFire Analysis Report
, the web interface failed to display the report with the following error message:
refused to connect
Fixed an issue with SCEP certificate enrollment where the incorrect Registration Authority (RA) certificate was chosen to encrypt the enrollment request.
Panorama appliances in HA configurations only
) Fixed an issue where, when using Prisma Access multitenancy, the passive appliance didn't correctly update the tenant information after the tenant was deleted on the active appliance.
Fixed an issue with DNS cache depletion that caused continuous DNS retries.
Fixed an issue where the
files filled up the root disk space.
Fixed an issue where, when SIP traffic traversing the firewall was sent with a high Quality of Service (QoS) differentiated service code (DSCP) value, the DSCP value was reset to the default setting (CS0) for the first data packet.
Fixed an issue where decrypting large packets introduced congestion during content inspection, which caused processes to stop responding due to missed heartbeats.
Fixed an issue that occurred after upgrading to a PAN-OS 9.0 or later release where commits to the firewall configuration failed with the following error message:
statistics-service is invalid
PA-3200 Series firewalls only
) Fixed an issue where multiple processes stopped responding, which caused the firewall to reboot.
Fixed an issue where the following operational mode commands were not reboot persistent:
  • set system setting ctd pkt-proc-loop-low <value>
  • set system setting ctd pkt-proc-loop-high <value>
  • set system setting ctd max-sess-hash-limit <value>
Fixed an issue where a deadlock on
caused both the web interface and CLI commands to time out until the mgmtsrvr process was restarted.
Fixed an issue where changing SSL connection validation settings for system logs caused the mgmtsrvr process to stop responding.
Fixed an issue where PDF summary reports were empty when they were generated by a user in a custom admin role.
M-200 and M-500 appliances only
) Fixed a capacity issue that was caused by high operational activity and large configurations. This fix increases the virtual memory limit on the configd process to 32GB.
PA-220 Series firewalls only
) Fixed an issue where the `runtime-state` parameter was missing in the CLI command `request high-availability sync-to-remote`.
Fixed an issue on Panorama where a commit push to managed firewalls failed with
sctp-init is invalid
error even though SCTP settings were not configured in the corresponding template.
Fixed an issue where a race-condition check returned a false negative, which caused a process (all_task) to stop responding and generate a core file.
Fixed an issue on Panorama where long FQDN queries did not resolve due to the character limit being 64 characters.
Fixed an issue where a commit-all or push to the firewall from Panorama failed with the following error message:
client routed requesting last config in the middle of a commit/validate. Aborting current commit/validate
Firewalls in active/passive high availability configurations only
) Fixed a routing table mis-sync issue where routes were missing on the passive firewall when GRE tunnels with keepalives were configured.
Fixed an issue where the session browser did not display results when filtered for IPv6 addresses with more than 31 characters.

Recommended For You