PAN-OS 9.1.3 Addressed Issues

PAN-OS® 9.1.3 addressed issues.
Issue ID
A fix was made to address a Security Assertion Markup Language (SAML) authentication issue (CVE-2020-2021).
Fixed an issue where SSL connections were blocked if you enabled decryption with the option to block sessions that have expired certificates. This issue included servers that sent an expired AddTrust certificate authority (CA) in the certificate chain.
Fixed an issue with internal buffer and file sizes where logs were discarded due to slow log purging when the incoming log rate was high.
PAN-145195, PAN-145151, PAN-145150, and PAN-145149
A fix was made to address a buffer overflow vulnerability in PAN-OS that allowed an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface (CVE-2020-2040).
Fixed an issue where Cortex Data Lake certificates on the firewall were not automatically renewed after the certificates expired.
Fixed an issue where a configuration audit created a large number of opresult.out files, which filled up the session/pan/user_tmp directory in opt/pancfg. This caused a slow Panorama response until a device restart was performed or the files were manually deleted from the root of the device.
Fixed an issue where a process (varrcvr) stopped responding on the PA-7000 Series Log Forwarding Card (LFC) when it received a verdict from the WildFire cloud.
Microsoft Azure only
) Fixed an issue where a process (brdagent) stopped responding, which caused the firewall to restart unexpectedly.
Fixed an issue where on the Panorama management server, hub and branch firewall latency, jitter, and packet loss data was not updated when monitoring SD-WAN link performance (
Panorama > SD-WAN > Monitoring
Fixed an issue where, after loading a saved configuration snapshot by API, a custom role-based administrator required Superuser privileges to perform a full commit.
Fixed an issue where the firewall repeatedly rebooted due to a process (rasmgr) restarting when GlobalProtect was used in pre-logon mode.
VM-Series firewalls only
) Fixed an issue where disk utilization of the root partition increased until it reached 100%.
Fixed an memory issue associated with a process (mgmtsrvr) due to a large number of ACK packets in logs on Panorama or the log collector.
Fixed an issue where Amazon Web Services (AWS) Nitro System based VM-Series firewalls unexpectedly rebooted due to input/output (I/O) errors caused by improper NMVE I/O timeout settings.
Fixed an issue where running a
test security-policy-match
API command truncated the rule name to 31 characters.
Fixed an issue where, in Panorama, cloning a shared Security policy rule failed if done via the web interface and resulted in a process (configd) restarting with the following error message:
Failed security rule(s): undefined The request could not be handled
Fixed an issue where a process (brdagent) failed in a high availability (HA) configuration using High Speed Chassis Interconnect (HSCI) ports due to a memory leak.
Fixed an issue where the firewalls faced connection issues with Cortex Data Lake.
Fixed an internal logging issue for a daemon (authd).
Fixed an issue where authentication stopped working after a commit and a process (authd) exited, which caused other processes to exit.
Fixed an issue where promiscuous VLAN mode did not work with the new host drivers being used on the ESXi and single-root input/output virtualization (SR-IOV) with VLAN tagging did not work as expected. Both Data Plane Development Kit and packet mmap mode did not work.
Fixed an issue where Slot 8 path monitoring failure occurred due to a memory buildup in a process (logrcvr) that was caused by slow communication and connection between log forwarding and Cortex Data Lake.
Fixed an issue where the resolution of FQDN for a policy on the web interface did not work as expected if the FQDN contained capital letters.
Fixed an issue where dataplane free memory was depleted, which affected new GlobalProtect connections to the firewall.
Fixed an issue where a commit or content update operation with an error was not prevented from executing in the dataplane, which caused corruption in the dataplane policy cache.
PA-7000 Series firewalls only
) Fixed an issue where a process (mprelay) on the control plane was restarted due to an internal heartbeat miss.
Fixed an issue where the dataplane restarted during a commit when
was enabled.
Fixed a memory leak issue caused by a process (mgmtsrvr).
Fixed an issue where a memory leak on a process (useridd) caused multiple processes to restart during device serial number checks.
Fixed an issue on Panorama where SNMP monitoring of the logging rate per device was incorrect.
Fixed an issue where a process (masterd) did not restart another process (logrcvr) on the Log Forwarding Card (LFC) after the process (logrcvr) crashed.
VM-Series firewalls only
) Fixed connection issues between IPv6 peers when the IPv6 neighbor cache was synchronized in an HA cluster where, after failover, the newly active firewall did not send multicast neighbor solicitation from its global unicast address.
Fixed an issue on Panorama in Legacy mode where configuring Network File System (NFS) log storage (
Device > Setup > Operations
) caused all plugin installations to fail.
Fixed an intermittent issue where the firewall used IP addresses instead of domain names for URL category lookup after upgrading to 9.0.6.
Fixed an issue where a process (logrcvr) exited due to a race condition.
Added additional debugging to periodically collect the
debug dataplane internal pdt bcm counters graphical
CLI command's output in the Tech Support File (TSF).
Fixed an issue where a process (authid) used a large amount of memory due to many incomplete authentication requests, which caused an out-of-memory (OOM) condition.
PA-7050 firewalls running on PA-7000 100G NPCs only
) Fixed an issue where the PA-7000 100G NPC Native Implemented Function (NIF) initialization took longer than expected, which caused internal path monitoring failure and sent the firewall into a non-functional state while rebooting.
Fixed an issue in the URL process where a process (devsrvr) stopped responding.
Fixed an issue where
Policy > Security > Test Policy Match
did not work when the source user or group length was greater than 20 characters.
Fixed an issue where disabling predefined trusted root certificates did not have any effect.
Fixed an issue where the firewall failed stateful inspection for GTP forward relocation requests greater than 1,500 bytes and could not parse Access Point Name (APN) information in forward relocation requests.
Fixed an issue that led to exhaustion of memory, which resulted in path monitoring failures when Cortex Data Lake was configured.
Fixed an issue on Panorama in Legacy mode where a process (logd) repeatedly restarted while processing incoming logs and caused Panorama to reboot.
Fixed an issue where after upgrading the passive firewall, the outer UDP sessions synced from the active firewall did not retain the rule information and after failover, GPRS tunneling protocol (GTP) inspection did not work.
Fixed an issue where unique GlobalProtect portal profiles were not selected in the correct order.
Fixed an issue where a commit failed with the following error message:
destination is invalid
when using objects from static routes.
Fixed an issue where a process (configd) restarted and administrators received one of the following error messages:
Timed out while getting config lock. Please try again
Please wait while the server reboots...
due to a database error.
Fixed a performance drop issue seen when using API to configure larger sets of objects (more than 25 objects).
Fixed an issue where, in an HA active/active configuration in a virtual wire deployment with asymmetric traffic, decryption did not work for some sites.
Fixed an issue where custom role-based admins were able to reset the rule hit counter for disabled device groups.
Fixed an issue with internal buffer and file sizes where logs were discarded due to slow log purging when the incoming log rate was high.
Fixed an intermittent issue where logs were delayed or missing when querying for logs by applying filters. To leverage this fix, you must upgrade Panorama to 9.0.9 and the Cloud Services plugin to 1.6.0-h1.
Fixed an issue where a Panorama
Custom Report
based on the
Detailed Logs > Panorama Data > Traffic
database was not able to report on decrypted sessions.
Fixed an issue where the host information profile (HIP) match message was automatically enabled when modifying the GlobalProtect Agent settings.
Fixed an issue where virtual machine (VM) information source Dynamic Address Groups overrode static address groups, which caused traffic to hit the wrong Security policy rule.
PA-7000 Series firewalls only
) Fixed an issue where hot swapping a PA-7000 100G NPC with a PA-7000 20G NPC caused packet buffer leak and slot restarts.
VM-Series firewalls in Microsoft Azure environment only
) Fixed an issue where a firewall with accelerated networking enabled was unable to process packets efficiently because of underlying Microsoft drivers. To leverage this fix, you must upgrade to VM-Series Plugin 1.0.12.
PA-7000 Series firewalls only, running with both a PA-7000 100G NPC and a PA-7000 20G NPC
) Fixed an issue where IPSec traffic caused dataplane restarts.
Fixed an issue where GlobalProtect logs failed to send to syslog servers over a TCP connection.
Fixed an issue where, for users with admin roles, logs for only one device group were displayed due to a query string with multiple device groups.
Fixed an issue where a memory leak associated with a process (devsrvr) caused an out-of-memory (OOM) condition on the firewall.
Fixed an issue where the
show config diff
CLI command did not work correctly and produced unexpected output.
Fixed an issue where the authentication policy did not redirect users for Captive Portal authentication if the attached authentication profile did not have
Enable Additional Authentication Factors
Fixed an issue where URL filtering used the IP address instead of the hostname, which led to incorrect URL categorization.
Fixed an issue where a Panorama appliance running PAN-OS 9.1.0 was unable to export address objects and displayed the following error message:
Error while exporting
Fixed an issue where SSL decrypted traffic was dropped due to a certificate status error during session resumption.
Fixed an issue where access was denied if a password contained more than 63 characters.
Fixed an issue where, on a firewall managed by Panorama, the XML API based IP tags were lost after a firewall reboot or process (
) restart.
Fixed an issue where, in a particular scenario, the first response to a SIP INVITE message created incorrect
entries and caused Via header translation failure.
Fixed an issue where an FQDN update that resolved to the same IP address of another FQDN across different policies caused the other FQDN to be deleted due to missing FQDN aggregation.
Fixed an issue on the firewall where the dataplane pan-task process (all_pktproc) stopped responding while inspecting Server Message Block (SMB) traffic.
Panorama virtual appliances only
) Fixed an issue where SNMP monitoring of ifSpeed reported the interface speed as 0 for interfaces other than eth0.
PA-3000 Series and PA-800 Series firewalls only
) Fixed an issue with insufficient memory allocation for configurations to accommodate the PAN-OS 9.0 Dynamic Address Group feature.
Fixed an issue where PA-7000 20GXM and PA-7000 20GQXM Network Processing Cards (NPCs) failed to process some sessions for Layer 7 inspection due to internal maximum threshold value that was not set.
Fixed an issue where a process (useridd) failed due to internal user groups that were loading from the disk taking over the lock.
Fixed an issue where fragmented packets leaked, which caused the depletion of Work Query Entry (WQE) pools.
Fixed an issue where, when the
from the request header was long, the converted XML was truncated, which caused parsing to fail by a process (rasmgr) due to a limitation on the buffer length.
Fixed an issue where a process (all_pktproc) restarted while processing packets with and destination protocol 251 that internally mapped to GTP-C traffic, which caused the dataplane to restart.
Fixed an issue where dataplane interfaces remained down after active firewall bootup or a high availability (HA) failover.
Fixed an issue where generating subordinate ECDSA Certificate Authority (CA) certificates from the web interface failed if the
Common Name
field contained a space.
Fixed an intermittent issue where Panorama was unable to query logs from the log collector due to large file sizes in es_cache_cron.log.
Fixed an issue that prevented Panorama from being switched out of management-only mode when deployed in Amazon Web Services (AWS) instance types M5 and C5.
Fixed an issue where a commit job failed due to a process (mgmtsrvr) exiting.
Fixed an issue where the firewall dropped DNS requests for root servers when the action of the DNS security signature was set to
in an
Security profile.
Fixed an issue with log collectors on Panorama where large index sizes caused higher CPU usage than expected when disk space usage was high.
Fixed an issue on Panorama where administrators were unable to delete a shared address object even when it was not referenced in the configuration.
Fixed an issue where the GlobalProtect client used IPv6 during gateway login but used IPv4 during IPsec tunnel creation, which caused it to fallback to SSL.
Fixed an issue on the firewall where configuring uppercase
User Domain
values in authentication profiles led to a failure in GlobalProtect Agent configuration selection based on the domain user match condition.
Fixed an issue where policies that contained objects did not display correctly when exported to CSV or PDF format.
Fixed an issue where all NAT rules using the same FQDN entries as translated IP addresses were not updated when the IP addresses changed for those FQDNs.
Fixed an issue where, with a new Panorama appliance running PAN-OS 9.1.0 and a firewall running an earlier version, the following error message displayed:
interface sdwan is not a valid reference
A fix was made to address a vulnerability involving information exposure through log files where an administrator's password or other sensitive information was logged in cleartext while using the CLI in PAN-OS software. The
file was introduced to track operational command (op-command) usage but did not mask all sensitive information (CVE-2020-2044).
Fixed an issue where setting an IPv6 destination filter for the packet-diag option returned an error regarding a character limit.
Fixed an issue where TMP files were not deleted, which caused the root partition to run out of disk space and caused issues with accessing the firewall.
VM-Series firewalls only
) Fixed an issue where the VLAN interface failed to obtain the MAC address when the interface was used as a DHCP relay agent.
Fixed an issue with Security Assertion Markup Language (SAML) authentication where the firewall used old
values, which resulted in failed authentication.
Fixed an issue where DNS proxy failed due to incorrect mapping of the DNS transaction ID.
Fixed an issue where Session Initiation Protocol (SIP) messages were not parsed correctly when the packet was received in separate segments, which caused the receiver to receive corrupted messages.
Fixed an issue that caused a procses (ikemgr) to exit when site-to-site VPNs experienced connectivity interruptions.
Fixed an issue where the Terminal Server (TS) Agent disconnected on the firewall after a failover or reboot.
Fixed an issue on the firewalls where configuring a default Online Certificate Status Protocol (OCSP) URL in front of an intermediate certificate authority (CA) in a certificate profile did not override the OCSP URL during the validation of client certificates issued by the intermediate CA.
Fixed an issue where service objects were unable to be deleted if they were configured to exceed firewall limits.
Fixed an issue where both firewalls in an HA active/passive configuration stopped responding at the same time.
Fixed an issue where, in VM-Series firewalls deployed using init-cfg.txt in the bootstrap process and set in an HA configuration, the configuration did not display as synchronized due to the initcfg configuration.
Fixed an issue where a process (pan_comm) stopped responding due to operation commands run during a commit.
A fix was made to address an OS command injection vulnerability in the PAN-OS management interface that allowed authenticated administrators to execute arbitrary OS commands with root privileges (CVE-2020-2037).
Fixed an issue where a process (mgmtsrvr) stopped responding and was inaccessible through SSH or HTTPS until the firewall was power cycled.
Fixed an issue where reports for URLs were not generating the correct data output.
Fixed an issue where the firewall intermittently dropped DNS A or AAAA queries received over IPSec tunnels due to a session installation failure.
Fixed an issue where multiple daemons restarted due to MP ARP overflow.
Fixed an issue where packets tagged with IP protocol 252 were incorrectly treated as GPRS tunneling protocol (GTP) traffic, which caused the packet processor to terminate.
Fixed an issue where a new GPRS tunneling protocol version 2 control plane (GTPv2-C) session reused GTP-C tunnel parameters within two seconds after deleting the old GTP-C session, which caused a session conflict on the firewall.
Fixed an issue where the PAN-OS XML API packet capture (pcap) export failed with the following error message:
Missing value for parameter device_name
. Now,
are no longer required parameters.
Fixed an issue where license and content error files received from the update and license servers were not saved to disk.
VM-Series firewalls on VMware ESXi only
) Fixed an issue where the firewall stays in a boot loop and enters maintenance mode after adding a 60GB disk.
Fixed an issue on Panorama where, when navigating through
, the following error message displayed:
show rule hit count op-command failed
Fixed an issue where the firewall generated excessive logs for content decoder (CTD) errors.
Fixed an issue where renaming a template stack did not change the value and reset to the original value after you commit the change.
Fixed an issue where an empty host name in the HTTP header caused a web server process (
) to stop responding when you accessed the captive portal redirect page.
Fixed an issue where a process (
) leaked memory, which caused the firewall to drop traffic and display the following error message:
Out-of-memory condition detected, kill process
Fixed an issue where the firewall stopped forwarding logs to the log collector from the Log Processing Card (LPC) after a commit push from Panorama due to a race condition.
Fixed an issue where threat
field of a threat
Custom Report
displayed the threat ID instead of the threat name.
Fixed an issue with summary reports where displayed dates were incorrect due to the date range calculation not considering the change in year.
Fixed an issue where the OSPF summary Link State Advertisement (LSA) for the default route were not advertised by the Area Border Router (ABR).
Fixed an issue where the IP address-to-tag mappings for Dynamic Address Groups did not display as expected on Panorama after you configured the Panorama plugin to monitor virtual machines or endpoints in your AWS, Azure, or Cisco ACI environment without installing the NSX plugin.
Fixed an issue on a PA-5200 Series firewall in a high availability (HA) active/passive configuration where the firewall dropped TCP-FIN packets after a failover.

Recommended For You