PAN-OS 9.1.16 Addressed Issues

PAN-OS® 9.1.16 addressed issues.
Issue ID
Fixed an issue where the firewall was unable to fully process the user list from a child group when the child group contained more than 1,500 users.
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Fixed an issue where an expired Trusted Root CA was used to sign the forward proxy leaf certificate during SSL Decryption.
Fixed an issue where large OSPF control packets were fragmented, which caused the neighborship to fail.
Fixed an issue where, when viewing a WildFire Analysis Report via the web interface, the
detailed log view
was not accessible if the browser window was resized.
Fixed an issue where link-local address communication for IPv6, BFD, and OSPFv3 neighbors was dropped when IP address spoofing check was enabled in a Zone Protection profile.
Fixed an issue that resulted in a race condition, which caused the configd process to stop responding.
Fixed an issue where running reports or queries under a user group caused the reportd process to stop responding.
Fixed an issue with Content and Threat Detection allocation storage space where performing a commit failed with a
error message.
Fixed an intermittent issue where forward session installs were delayed, which resulted in latencies.
Firewalls in FIPS-CC mode only
) Fixed an issue where the firewall unexpectedly rebooted when downloading a new PAN-OS software image.
PAN-OS security profiles might consume a large amount of memory depending on the profile configuration and quantity. In some cases, this might reduce the number of supported security profiles below the stated maximum for a given platform.
Fixed an issue with Saas Application Usage reports where
Applications with Risky Characteristics
displayed only two applications per section.
Fixed a sync issue with firewalls in active/active HA configurations.
Fixed an issue when both URL and Advanced URL licenses were installed, the expiry date was not correctly checked.
Fixed an issue where decrypted SSH sessions were interrupted with a decryption error.
A CLI command was added to address an issue where long-lived sessions were aging out even when there was ongoing traffic.
Fixed an issue where, when path monitoring for a static route was configured with a new Ping Interval value, the value was not used as intended.
Fixed an issue where disabling the
cipher did not work when using an SSL/TLS profile.
Fixed an issue where repeated configuration pushes from Panorama resulted in a management server memory leak.
Fixed an issue where commits pushed from Panorama caused a memory leak related to the mgmtsrvr process.
Fixed an issue where the following error message was not sent from multi-factor authentication PingID and did not display in the browser:
Your company has enhanced its VPN authentication with PingID. Please install the PingID app for iOS or Android, and use pairing key:<key>. To connect, type "ok"
Fixed an issue where syslog traffic that was sent from the management interface to the syslog server even when a destination IP address service route was configured.
Fixed an issue where, after renaming an object, configuration pushes from Panorama failed with the commit error
object name is not an allowed keyword
Fixed an issue on Panorama where a commit push to managed firewalls failed when objects were added as source address exclusions in a Security policy and
Share Unused Address and Service Objects with Devices
was unchecked.
Fixed a memory leak issue in the mgmtsrvr process that resulted in an OOM condition.
Fixed an issue on the firewall where the dataplane CPU spiked, which caused traffic to be affected during commits or content updates.
Fixed an issue where HIP database storage on the firewall reached full capacity due to the firewall not purging older HIP reports.
Fixed an issue where creating or modifying a GlobalProtect portal configuration failed in FIPS mode with the following error message:
clientless-vpn enc-algo-rc4 unexpected here
Fixed an issue where incoming DNS packets with looped compression pointers caused the dnsproxyd process to stop responding.
Fixed an issue where FQDN based Security policy rules did not match correctly.
Fixed an issue where the web_backend and httpd processes leaked descriptors, which caused activities that depended on the processes, such as logging in to the web interface, to fail.
Fixed an issue where, during HA failover, the newly passive firewall continued to pass traffic after the active firewall had already taken over.
Fixed an issue where GlobalProtect requested for passwords that contained non ASCII characters (ö) to be reentered when refreshing the connection.
Fixed an issue on Panorama where commits remained at 99% due to multiple firewalls sending out CSR singing requests every 10 minutes.
Fixed an issue on Panorama where you were able to attempt to push a number of active schedules to the firewall that was greater than the firewall's maximum capacity.
Fixed an issue that caused devices to be removed from Panorama when one device was added by one user, but a Commit and Push operation was completed by a second user before the first user completed a Commit of the added device change.
Fixed an issue where Panorama Global Search reported
No Matches found
while still returning results for matching entries on large configurations.
Firewalls in active/active HA configurations only
) Fixed an issue where firewall configuration files were not synced.
Fixed an issue where clicking on a rule in the
App Dependency
tab after a commit or commit all did not display the rule correctly.
Fixed an issue where setting the password complexity to
Require Password Change on First Login
caused the user to be prompted with certificate authentication.
Fixed an issue where, when grouping HA peers, access domains that were configured using multi-vsys firewalls deselected devices or virtual systems that were in other configured access domains.
Fixed an issue where, when you disabled a NAT rule, the
Destination Translation
displayed in blue and was still able to be modified to a different value.
Fixed an issue in which CBC ciphers for TLS traffic to port 28443 on Panorama were enabled.
Fixed an issue where, when adding new configurations, Panorama didn't display a list of suggested template variables when typing in a relevant field.
Fixed an issue where the
field in Terminal Access Controller Access-Control System (TACACS+) authentication displayed the management or service route IP address of the firewall instead of the source IP address of the user.
Fixed an issue where the FQDN refresh timer was pushed from Panorama appliances on PAN-OS 9.0 and later releases to firewalls running a PAN-OS 8.1 release.
Fixed an issue where configurations loaded and committed to Panorama changed external dynamic list references on Security policy rules to
when Antivirus Protection was not installed.
Fixed an issue where a process (routed) restarted due to the number of BGP peers exceeding the supported configuration.
Fixed an issue where you were unable to reset a VPN tunnel via the firewall web interface (
Network > IPSec Tunnels > Tunnel Info > Restart

Recommended For You