PAN-OS 9.1.2 Addressed Issues
Focus
Focus

PAN-OS 9.1.2 Addressed Issues

Table of Contents

PAN-OS 9.1.2 Addressed Issues

PAN-OS® 9.1.2 addressed issues.
Issue ID
Description
WF500-5343
Fixed an issue on WF-500 that caused cloud queries to fail when the cloud verdict did not match the local verdict.
PAN-142084
Fixed an issue where upgrading a Panorama management server deployed on Amazon Web Services (AWS) using a C5 or M5 instance type to PAN-OS 9.1.1 caused the Panorama Virtual Appliance to stop responding.
PAN-140509
Fixed an issue where performing private data resets during custom Amazon Machine Image (AMI) creation removed CloudWatch directories and caused the CloudWatch plugin to fail.
PAN-140157
A fix was made to address a vulnerability where the password for a configured system proxy server for a PAN-OS appliance was displayed in cleartext when using the CLI in PAN-OS (CVE-2020-2048).
PAN-138003
Fixed an issue where a process (rasmgr) exited, which caused the firewall to reboot due to a null pointer dereference error when
usr_info
was null.
PAN-137966
Fixed a configuration lock issue where Panorama timed out due to a process (configd) being unable to read another process (mongod).
PAN-137709
Fixed an issue where dynamic DNS (DDNS) failed due to a Lua script error.
PAN-137191
Fixed an issue where the
Custom URL Category
default action changed from
allow
to
none
after upgrading to PAN-OS 9.1.0.
PAN-136724
Fixed an issue with a process (snmpd) and booting errors.
PAN-136698
Fixed an issue where a process (all_pktproc) stopped responding and the dataplane restarted when the firewall processed a malformed GPRS tunneling protocol (GTP) packet.
PAN-136696
Fixed an issue where the dataplane restarted due to excessive logs from the pan_comm process.
PAN-136608
Fixed an issue in Panorama where the Security policy
Target
displayed the serial number of the targeted device instead of the hostname.
PAN-136607
Fixed an issue with GPRS tunneling protocol (GTP) event packet capture (pcap) where enabling
Packet Capture
did not work.
PAN-136453
Fixed an issue where performing a private data reset using the
request system private-data-reset
CLI command caused the unit to boot into maintenance mode.
PAN-136390
(
PA-7000 Series with 100GB NPC only
) Fixed an issue during firewall bootup where the following error message:
Bootloader upgrade failed, ret 255
appeared when small form-factor pluggable (SPF) modules were installed.
PAN-136304
Fixed an issue where clientless VPN rewrite failed due to incorrect parsing of the HTML webpage.
PAN-135909
Fixed an issue where connections leading to the web interface were abruptly interrupted due to a double free condition (gPanUiPhpGlobal_secure_config_reset), which led to unexpected process restarts and core file generation.
PAN-135703
(
PA-7000 Series firewalls only
) Fixed an issue where the switch ports connected to Quad Small Form-factor Pluggable (QSFP+) interfaces were up while Network Processing Cards (NPCs) were still rebooting.
PAN-135587
Fixed an issue where the GlobalProtect gateway was unable to parse a large list of IP addresses assigned on a local machine.
PAN-135570
Fixed an issue where management access to a VM-Series firewall deployed in Amazon Web Services (AWS) cloud was slow due to high disk input/output (I/O) operations caused by expired Large Scale VPN (LSVPN) certificates.
PAN-135452
Fixed an issue where configuration related to virtual machine (VM) information sources caused a process (userid) to crash, which led to a firewall reboot.
PAN-135260
(
PA-7000 Series firewalls running PAN-OS® 8.1.12 only
) Fixed an intermittent issue where the dataplane process (all_pktproc_X) on a Network Processing Card (NPC) restarted when processing IPSec tunnel traffic.
PAN-135141
Fixed an issue where the Log Processing Card (LPC) did not come up intermittently in a fully loaded PA-7000 Series.
PAN-135103
A fix was made to address a format string vulnerability on PA-7000 Series firewalls with a Log Forwarding Card (LFC) (CVE-2020-1992).
PAN-135089
Fixed an issue where the CPU for a process (ikemgr) spiked when third-party VPN clients connected to the GlobalProtect gateway with more than three DNS servers configured.
PAN-135039
Fixed an issue in Panorama where a memory leak occurred during a high availability (HA) sync commit.
PAN-134981
Fixed an issue with a memory leak in a process (user-id) due to failed LDAP over SSL (LDAPS) requests.
PAN-134810
Fixed an issue where
Resolve
in the web interface did not work for FQDN address objects with more than 63 characters.
PAN-134714
Fixed an issue where Safe Search was not enabled after an application change.
PAN-134571
Fixed an issue where DNS security incorrectly set bits to zero on compressed DNS packets, which caused DNS malformation.
PAN-134547
Fixed an issue where the passive firewall in an active/passive high availability (HA) configuration deleted BGP-learned routes synchronized from the active firewall if the BGP configuration included the redistribution of the learned routes.
PAN-134546
Fixed a rare issue on the firewall where a process (flow_mgmt) restarted due to an invalid packet received through the GlobalProtect agent or clientless VPN.
PAN-134488
Fixed an issue where a process (all_pktproc) crashed while processing Clientless VPN traffic.
PAN-134370
Fixed an issue where a process (mp-relay) restarted due to missing routes or next hops.
PAN-134309
Fixed an issue where a process (devsrvr) restarted when it hit the limit of the number of custom patterns available in the allocated memory.
PAN-134244
Fixed an issue where connections proxied by the firewall (such as SSL Decryption, GlobalProtect portal and gateway connections, and SIP over TCP) failed due to insufficient buffer allocation. Some connections failed with the following error message:
proxy decrypt failure
.
PAN-134038
Fixed an issue where custom signatures did not properly detect the User-Agent header when the Origin header was also present.
PAN-133915
Fixed an issue on Panorama where configuring a BGP import rule from the CLI failed with the following error message:
Server error : permission denied for the command set
.
PAN-133912
Fixed an issue where querying traffic logs based on address objects and address groups did not work.
PAN-133883
Fixed an issue where a race condition caused "pan_task" and "pan_com" to exit unexpectedly.
PAN-133880
Fixed an issue where RADIUS authentication failed due to an FQDN resolution failure after the VM-Series firewall rebooted.
PAN-133731
Fixed an issue on the Panorama Virtual Appliance where the
show interface all
CLI command did not list any output.
PAN-133614
Fixed an issue on the Panorama Virtual Appliance where SNMP Object IDs (OIDs) were missing for interfaces other than the
Management
interface.
PAN-133609
Fixed an issue where the Authentication Portal did not work due to a large number of HTTP requests with unsupported Authorization headers.
PAN-133582
Fixed an issue in the firewalls where some Dynamic Address Groups pushed from Panorama were missing member IP addresses.
PAN-133527
A fix was made to address a NULL pointer dereference vulnerability in PAN-OS (CVE-2020-1995).
PAN-133491
Fixed an issue where Internet Protocol (IP) to user mappings were not synced from the HUB virtual system (vsys) to the non-hub vsys.
PAN-133448
Fixed an issue where the mprelay process could crash during commit if the devsrvr process was restarted before or during the commit.
PAN-133440
Fixed an issue where fragmented traffic caused high dataplane use and firewall performance issues.
PAN-133411
Fixed an issue where after making configuration changes and selecting
Preview Changes
, a 500 Internal Server Error message displayed due to a memory leak.
PAN-133378
Fixed an issue in Panorama where a process (configd) restarted while doing a commit using a RADIUS super admin role.
PAN-133289
Fixed an issue where improper parsing of the URL database caused high device-server CPU usage.
PAN-133288
Fixed an issue where the API key limit in the *HTTP server profile was 128 characters.
PAN-133211
Fixed an issue where the policy order was not maintained when moved to a different device group.
PAN-133179
Fixed a rare issue where the
show ntp
CLI command showed the status as rejected even when the NTP was synced with at least one NTP server.
PAN-133042
(
PA-5200 and PA-7000 Series firewalls only
) Fixed an issue where firewalls dropped certain GPRS tunneling protocol (GTP) traffic even when
gtp nodrop
was enabled.
PAN-132995
(
PA-7000 Series and PA-3200 Series firewalls only
) Fixed an issue where when jumbo frames were enabled, the maximum transmission unit (MTU) size limit was lower than expected.
PAN-132766
Fixed an issue in Panorama where custom region objects were not visible in the GlobalProtect Portal
External Gateway
drop-down.
PAN-132715
Fixed an issue where a child dynamic address group was not added as a member of the parent group.
PAN-132697
Fixed an issue where the GlobalProtect portal did not generate certificate signing requests (CSRs) due to failed Simple Certificate Enrollment Protocol (SCEP) authentication cookie validation.
PAN-132658
Fixed an issue where a nullification method for steam control transmission protocol (SCTP) data chunks did not work.
PAN-131993
Fixed an issue where a process (reportd) would crash while running a log query.
PAN-131501
Fixed an issue when configuring Clientless VPN and executing the
portal-getconfig
CLI command where user groups were retrieved but were not freed, which caused a memory leak on a process (sslvpn).
PAN-131491
Fixed an issue where the
ACC
risk meter displayed as zero for long time periods with a large amount of logs.
PAN-130776
Fixed an issue on Panorama where Applications and Threats content update deployment failed due to the content version date check.
PAN-130573
Fixed an issue where the software pool for Regex results was depleted and caused connection failures.
PAN-130447
Fixed an issue where the firewall dropped offloaded traffic every time there was an explicit commit (
Commit
on the firewall locally or
Commit All Changes
in Panorama) or an implicit commit (such as an Antivirus update, Dynamic Update, or WildFire® update) on the firewall.
PAN-129281
Fixed an issue where a process (useridd) restarted due to a buffer overflow when the time-to-live (TTL) and
Idle Timeout
values were set to
Never
, a timing issue between user group context and a process (sysd) callback, and a group mapping issue when multiple group mappings fetched the same groups with different override domains.
PAN-128879
Fixed an issue where the PAN-OS XML API inject was not working for IP address to user mappings or for the import of software, content, and plugins.
PAN-128398
Fixed an issue where performing a factory reset or enabling FIPS mode would cause the VM-Series plugin to revert to the default VM-Series plugin 1.0.0.
PAN-127438
Fixed an issue where GlobalProtect portal configuration selection based on certificate template OID failed.
PAN-127260
Fixed an issue where the /opt/pancfg partition became full due to a large amount of botnet reports that were not automatically deleted.
PAN-125534
(
PA-5200 Series and PA-7000 Series firewalls only
) Fixed an issue where firewalls experienced high packet descriptor (on-chip) usage during uploads to the WildFire Cloud or WF-500 appliance.
PAN-125501
Fixed an issue where URL information in a URL
Custom Report
was blank when the report contained flexible size fields (such as
URL Category List
).
PAN-124658
Fixed an issue where the timer system call activated more frequently than expected, which caused higher than expected CPU usage.
PAN-123637
(
PA-3200 Series firewalls only
) Fixed an issue where configuring 1G small form-factor pluggable (SFP) ports on the firewall in forced speed mode (of 1G) rendered the link unusable when the peer device also had forced speed mode (of 1G) enabled.
PAN-122004
(
PA-5200 Series firewalls only
) Fixed an issue where the Quad Small Form-factor Pluggable (QSFP) 28 ports 21 and 22 did not respond when plugged in with a Finisar 100G AOC cable.
PAN-121626
(
PA-3200 Series firewalls only
) Fixed an intermittent issue where firewalls dropped packets, which caused issues such as traffic latency, slow file transfers, reduced throughput, internal path monitoring failures, and application failures.
PAN-119452
An enhancement was made to improve subsequent loading times of device groups after the first load.
PAN-117043
Fixed an issue where using special characters in the tag names of the Security policy rules returned the following error message when committing or pushing a configuration:
group-tag is invalid
.
PAN-116480
Fixed an issue in Panorama where the
show system search-engine-quota
CLI command, the
show log-collector serial-number <log-collector_SN>
CLI command, and
Statistics
(
Panorama > Managed Collectors > Statistics
) showed incorrect log retention data.
PAN-116002
Fixed an issue where an incorrect optimization could cause IP address-to-user mapping to not update within 60 seconds.
PAN-114966
Fixed an issue where trunk interfaces were not working on Hyper-V.
PAN-114533
Fixed an issue where traffic was blocked by safe search enforcement before matching the intended allow rule.
PAN-110960
Fixed an issue on Panorama M-Series and virtual appliances where commits failed when you configured an address group object in the Include List (
Network > Zone > <zone-name> > Include List
).
PAN-110441
(
PA-5200 Series firewall only
) Fixed an intermittent issue where the internal path monitoring failed, which caused the firewall to unexpectedly restart.
PAN-107207
Fixed an issue where the VPN tunnel operational status incorrectly displays "up" even though the VPN tunnel is down.
PAN-98933
Fixed an issue on an M-Series appliances in a high availability (HA) active/passive configuration where the schedules (
Device > Dynamic Updates
) were unresponsive after a failover or restart of Panorama.
PAN-88136
Fixed a rare issue where a URL update caused the dataplane to restart.

Recommended For You