PAN-OS 9.1.3 Addressed Issues

PAN-OS® 9.1.3 addressed issues.
Issue ID
Description
PAN-148988
A fix was made to address a Security Assertion Markup Language (SAML) authentication issue (CVE-2020-2021).
PAN-148068
Fixed an issue where SSL connections were blocked if you enabled decryption with the option to block sessions that have expired certificates. This issue included servers that sent an expired AddTrust certificate authority (CA) in the certificate chain.
PAN-147424
Fixed an issue with internal buffer and file sizes where logs were discarded due to slow log purging when the incoming log rate was high.
PAN-145195, PAN-145151, PAN-145150, and PAN-145149
A fix was made to address a buffer overflow vulnerability in PAN-OS that allowed an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface (CVE-2020-2040).
PAN-145026
Fixed an issue where Cortex Data Lake certificates on the firewall were not automatically renewed after the certificates expired.
PAN-144782
Fixed an issue where a configuration audit created a large number of opresult.out files, which filled up the session/pan/user_tmp directory in opt/pancfg. This caused a slow Panorama response until a device restart was performed or the files were manually deleted from the root of the device.
PAN-144646
Fixed an issue where a process (varrcvr) stopped responding on the PA-7000 Series Log Forwarding Card (LFC) when it received a verdict from the WildFire cloud.
PAN-144221
(
Microsoft Azure only
) Fixed an issue where a process (brdagent) stopped responding, which caused the firewall to restart unexpectedly.
PAN-144073
Fixed an issue where on the Panorama management server, hub and branch firewall latency, jitter, and packet loss data was not updated when monitoring SD-WAN link performance (
Panorama > SD-WAN > Monitoring
).
PAN-143957
Fixed an issue where, after loading a saved configuration snapshot by API, a custom role-based administrator required Superuser privileges to perform a full commit.
PAN-143845
Fixed an issue where the firewall repeatedly rebooted due to a process (rasmgr) restarting when GlobalProtect was used in pre-logon mode.
PAN-143537
(
VM-Series firewalls only
) Fixed an issue where disk utilization of the root partition increased until it reached 100%.
PAN-143493
Fixed an memory issue associated with a process (mgmtsrvr) due to a large number of ACK packets in logs on Panorama or the log collector.
PAN-143442
Fixed an issue where Amazon Web Services (AWS) Nitro System based VM-Series firewalls unexpectedly rebooted due to input/output (I/O) errors caused by improper NMVE I/O timeout settings.
PAN-143169
Fixed an issue where running a
test security-policy-match
API command truncated the rule name to 31 characters.
PAN-143130
Fixed an issue where, in Panorama, cloning a shared Security policy rule failed if done via the web interface and resulted in a process (configd) restarting with the following error message:
Failed security rule(s): undefined The request could not be handled
.
PAN-142674
Fixed an issue where a process (brdagent) failed in a high availability (HA) configuration using High Speed Chassis Interconnect (HSCI) ports due to a memory leak.
PAN-142302
Fixed an issue where the firewalls faced connection issues with Cortex Data Lake.
PAN-142089
Fixed an internal logging issue for a daemon (authd).
PAN-141923
Fixed an issue where authentication stopped working after a commit and a process (authd) exited, which caused other processes to exit.
PAN-141844
Fixed an issue where promiscuous VLAN mode did not work with the new host drivers being used on the ESXi and single-root input/output virtualization (SR-IOV) with VLAN tagging did not work as expected. Both Data Plane Development Kit and packet mmap mode did not work.
PAN-141563
Fixed an issue where Slot 8 path monitoring failure occurred due to a memory buildup in a process (logrcvr) that was caused by slow communication and connection between log forwarding and Cortex Data Lake.
PAN-141262
Fixed an issue where the resolution of FQDN for a policy on the web interface did not work as expected if the FQDN contained capital letters.
PAN-141239
Fixed an issue where dataplane free memory was depleted, which affected new GlobalProtect connections to the firewall.
PAN-141221
Fixed an issue where a commit or content update operation with an error was not prevented from executing in the dataplane, which caused corruption in the dataplane policy cache.
PAN-140982
(
PA-7000 Series firewalls only
) Fixed an issue where a process (mprelay) on the control plane was restarted due to an internal heartbeat miss.
PAN-140846
Fixed an issue where the dataplane restarted during a commit when
Netflow
was enabled.
PAN-140669
Fixed a memory leak issue caused by a process (mgmtsrvr).
PAN-140628
Fixed an issue where a memory leak on a process (useridd) caused multiple processes to restart during device serial number checks.
PAN-140618
Fixed an issue on Panorama where SNMP monitoring of the logging rate per device was incorrect.
PAN-140575
Fixed an issue where a process (masterd) did not restart another process (logrcvr) on the Log Forwarding Card (LFC) after the process (logrcvr) crashed.
PAN-140465
(
VM-Series firewalls only
) Fixed connection issues between IPv6 peers when the IPv6 neighbor cache was synchronized in an HA cluster where, after failover, the newly active firewall did not send multicast neighbor solicitation from its global unicast address.
PAN-140389
Fixed an issue on Panorama in Legacy mode where configuring Network File System (NFS) log storage (
Device > Setup > Operations
) caused all plugin installations to fail.
PAN-140386
Fixed an intermittent issue where the firewall used IP addresses instead of domain names for URL category lookup after upgrading to 9.0.6.
PAN-140375
Fixed an issue where a process (logrcvr) exited due to a race condition.
PAN-140270
Added additional debugging to periodically collect the
debug dataplane internal pdt bcm counters graphical
CLI command's output in the Tech Support File (TSF).
PAN-140121
Fixed an issue where a process (authid) used a large amount of memory due to many incomplete authentication requests, which caused an out-of-memory (OOM) condition.
PAN-140043
(
PA-7050 firewalls running on PA-7000 100G NPCs only
) Fixed an issue where the PA-7000 100G NPC Native Implemented Function (NIF) initialization took longer than expected, which caused internal path monitoring failure and sent the firewall into a non-functional state while rebooting.
PAN-139935
Fixed an issue in the URL process where a process (devsrvr) stopped responding.
PAN-139858
Fixed an issue where
Policy > Security > Test Policy Match
did not work when the source user or group length was greater than 20 characters.
PAN-139727
Fixed an issue where disabling predefined trusted root certificates did not have any effect.
PAN-139718
Fixed an issue where the firewall failed stateful inspection for GTP forward relocation requests greater than 1,500 bytes and could not parse Access Point Name (APN) information in forward relocation requests.
PAN-139661
Fixed an issue that led to exhaustion of memory, which resulted in path monitoring failures when Cortex Data Lake was configured.
PAN-139595
Fixed an issue on Panorama in Legacy mode where a process (logd) repeatedly restarted while processing incoming logs and caused Panorama to reboot.
PAN-139555
Fixed an issue where after upgrading the passive firewall, the outer UDP sessions synced from the active firewall did not retain the rule information and after failover, GPRS tunneling protocol (GTP) inspection did not work.
PAN-139391
Fixed an issue where unique GlobalProtect portal profiles were not selected in the correct order.
PAN-139371
Fixed an issue where a commit failed with the following error message:
destination is invalid
when using objects from static routes.
PAN-138870
Fixed an issue where a process (configd) restarted and administrators received one of the following error messages:
Timed out while getting config lock. Please try again
or
Please wait while the server reboots...
due to a database error.
PAN-138813
Fixed a performance drop issue seen when using API to configure larger sets of objects (more than 25 objects).
PAN-138739
Fixed an issue where, in an HA active/active configuration in a virtual wire deployment with asymmetric traffic, decryption did not work for some sites.
PAN-138674
Fixed an issue where custom role-based admins were able to reset the rule hit counter for disabled device groups.
PAN-138648
Fixed an issue with internal buffer and file sizes where logs were discarded due to slow log purging when the incoming log rate was high.
PAN-138476
Fixed an intermittent issue where logs were delayed or missing when querying for logs by applying filters. To leverage this fix, you must upgrade Panorama to 9.0.9 and the Cloud Services plugin to 1.6.0-h1.
PAN-138213
Fixed an issue where a Panorama
Custom Report
based on the
Detailed Logs > Panorama Data > Traffic
database was not able to report on decrypted sessions.
PAN-138037
Fixed an issue where the host information profile (HIP) match message was automatically enabled when modifying the GlobalProtect Agent settings.
PAN-138034
Fixed an issue where virtual machine (VM) information source Dynamic Address Groups overrode static address groups, which caused traffic to hit the wrong Security policy rule.
PAN-137902
(
PA-7000 Series firewalls only
) Fixed an issue where hot swapping a PA-7000 100G NPC with a PA-7000 20G NPC caused packet buffer leak and slot restarts.
PAN-137885
(
VM-Series firewalls in Microsoft Azure environment only
) Fixed an issue where a firewall with accelerated networking enabled was unable to process packets efficiently because of underlying Microsoft drivers. To leverage this fix, you must upgrade to VM-Series Plugin 1.0.12.
PAN-137867
(
PA-7000 Series firewalls only, running with both a PA-7000 100G NPC and a PA-7000 20G NPC
) Fixed an issue where IPSec traffic caused dataplane restarts.
PAN-137777
Fixed an issue where GlobalProtect logs failed to send to syslog servers over a TCP connection.
PAN-137716
Fixed an issue where, for users with admin roles, logs for only one device group were displayed due to a query string with multiple device groups.
PAN-137673
Fixed an issue where a memory leak associated with a process (devsrvr) caused an out-of-memory (OOM) condition on the firewall.
PAN-137656
Fixed an issue where the
show config diff
CLI command did not work correctly and produced unexpected output.
PAN-137401
Fixed an issue where the authentication policy did not redirect users for Captive Portal authentication if the attached authentication profile did not have
Enable Additional Authentication Factors
selected.
PAN-137387
Fixed an issue where URL filtering used the IP address instead of the hostname, which led to incorrect URL categorization.
PAN-137251
Fixed an issue where a Panorama appliance running PAN-OS 9.1.0 was unable to export address objects and displayed the following error message:
Error while exporting
.
PAN-137152
Fixed an issue where SSL decrypted traffic was dropped due to a certificate status error during session resumption.
PAN-136957
Fixed an issue where access was denied if a password contained more than 63 characters.
PAN-136950
Fixed an issue where, on a firewall managed by Panorama, the XML API based IP tags were lost after a firewall reboot or process (
useridd
) restart.
PAN-136791
Fixed an issue where, in a particular scenario, the first response to a SIP INVITE message created incorrect
appinfo2ip
entries and caused Via header translation failure.
PAN-136765
Fixed an issue where an FQDN update that resolved to the same IP address of another FQDN across different policies caused the other FQDN to be deleted due to missing FQDN aggregation.
PAN-136726
Fixed an issue on the firewall where the dataplane pan-task process (all_pktproc) stopped responding while inspecting Server Message Block (SMB) traffic.
PAN-136716
(
Panorama virtual appliances only
) Fixed an issue where SNMP monitoring of ifSpeed reported the interface speed as 0 for interfaces other than eth0.
PAN-136703
(
PA-3000 Series and PA-800 Series firewalls only
) Fixed an issue with insufficient memory allocation for configurations to accommodate the PAN-OS 9.0 Dynamic Address Group feature.
PAN-136649
Fixed an issue where PA-7000 20GXM and PA-7000 20GQXM Network Processing Cards (NPCs) failed to process some sessions for Layer 7 inspection due to internal maximum threshold value that was not set.
PAN-136623
Fixed an issue where a process (useridd) failed due to internal user groups that were loading from the disk taking over the lock.
PAN-136612
Fixed an issue where fragmented packets leaked, which caused the depletion of Work Query Entry (WQE) pools.
PAN-136582
Fixed an issue where, when the
app-version
from the request header was long, the converted XML was truncated, which caused parsing to fail by a process (rasmgr) due to a limitation on the buffer length.
PAN-136470
Fixed an issue where a process (all_pktproc) restarted while processing packets with 0.0.0.0 and destination protocol 251 that internally mapped to GTP-C traffic, which caused the dataplane to restart.
PAN-136173
Fixed an issue where dataplane interfaces remained down after active firewall bootup or a high availability (HA) failover.
PAN-136007
Fixed an issue where generating subordinate ECDSA Certificate Authority (CA) certificates from the web interface failed if the
Common Name
field contained a space.
PAN-135946
Fixed an intermittent issue where Panorama was unable to query logs from the log collector due to large file sizes in es_cache_cron.log.
PAN-135865
Fixed an issue that prevented Panorama from being switched out of management-only mode when deployed in Amazon Web Services (AWS) instance types M5 and C5.
PAN-135844
Fixed an issue where a commit job failed due to a process (mgmtsrvr) exiting.
PAN-135796
Fixed an issue where the firewall dropped DNS requests for root servers when the action of the DNS security signature was set to
alert
or
sinkhole
in an
Anti-Spyware
Security profile.
PAN-135684
Fixed an issue with log collectors on Panorama where large index sizes caused higher CPU usage than expected when disk space usage was high.
PAN-135547
Fixed an issue on Panorama where administrators were unable to delete a shared address object even when it was not referenced in the configuration.
PAN-135504
Fixed an issue where the GlobalProtect client used IPv6 during gateway login but used IPv4 during IPsec tunnel creation, which caused it to fallback to SSL.
PAN-135418
Fixed an issue on the firewall where configuring uppercase
User Domain
values in authentication profiles led to a failure in GlobalProtect Agent configuration selection based on the domain user match condition.
PAN-135356
Fixed an issue where policies that contained objects did not display correctly when exported to CSV or PDF format.
PAN-135321
Fixed an issue where all NAT rules using the same FQDN entries as translated IP addresses were not updated when the IP addresses changed for those FQDNs.
PAN-135314
Fixed an issue where, with a new Panorama appliance running PAN-OS 9.1.0 and a firewall running an earlier version, the following error message displayed:
interface sdwan is not a valid reference
.
PAN-135262
A fix was made to address a vulnerability involving information exposure through log files where an administrator's password or other sensitive information was logged in cleartext while using the CLI in PAN-OS software. The
opcmdhistory.log
file was introduced to track operational command (op-command) usage but did not mask all sensitive information (CVE-2020-2044).
PAN-135158
Fixed an issue where setting an IPv6 destination filter for the packet-diag option returned an error regarding a character limit.
PAN-134979
Fixed an issue where TMP files were not deleted, which caused the root partition to run out of disk space and caused issues with accessing the firewall.
PAN-134799
Fixed an issue where packets of the same session were forwarded through a different member of an Aggregate Ethernet (AE) group once the session was offloaded.
PAN-134624
(
VM-Series firewalls only
) Fixed an issue where the VLAN interface failed to obtain the MAC address when the interface was used as a DHCP relay agent.
PAN-134431
Fixed an issue with Security Assertion Markup Language (SAML) authentication where the firewall used old
authd_id
values, which resulted in failed authentication.
PAN-133885
Fixed an issue where DNS proxy failed due to incorrect mapping of the DNS transaction ID.
PAN-133727
Fixed an issue where Session Initiation Protocol (SIP) messages were not parsed correctly when the packet was received in separate segments, which caused the receiver to receive corrupted messages.
PAN-133673
Fixed an issue that caused a procses (ikemgr) to exit when site-to-site VPNs experienced connectivity interruptions.
PAN-133495
Fixed an issue where the Terminal Server (TS) Agent disconnected on the firewall after a failover or reboot.
PAN-133285
Fixed an issue on the firewalls where configuring a default Online Certificate Status Protocol (OCSP) URL in front of an intermediate certificate authority (CA) in a certificate profile did not override the OCSP URL during the validation of client certificates issued by the intermediate CA.
PAN-132922
Fixed an issue where service objects were unable to be deleted if they were configured to exceed firewall limits.
PAN-131973
Fixed an issue where both firewalls in an HA active/passive configuration stopped responding at the same time.
PAN-130562
Fixed an issue where, in VM-Series firewalls deployed using init-cfg.txt in the bootstrap process and set in an HA configuration, the configuration did not display as synchronized due to the initcfg configuration.
PAN-130168
Fixed an issue where a process (pan_comm) stopped responding due to operation commands run during a commit.
PAN-128761
A fix was made to address an OS command injection vulnerability in the PAN-OS management interface that allowed authenticated administrators to execute arbitrary OS commands with root privileges (CVE-2020-2037).
PAN-128078
Fixed an issue where a process (mgmtsrvr) stopped responding and was inaccessible through SSH or HTTPS until the firewall was power cycled.
PAN-127434
Fixed an issue where reports for URLs were not generating the correct data output.
PAN-127318
Fixed an issue where the firewall intermittently dropped DNS A or AAAA queries received over IPSec tunnels due to a session installation failure.
PAN-126938
Fixed an issue where multiple daemons restarted due to MP ARP overflow.
PAN-125730
Fixed an issue where packets tagged with IP protocol 252 were incorrectly treated as GPRS tunneling protocol (GTP) traffic, which caused the packet processor to terminate.
PAN-125410
Fixed an issue where a new GPRS tunneling protocol version 2 control plane (GTPv2-C) session reused GTP-C tunnel parameters within two seconds after deleting the old GTP-C session, which caused a session conflict on the firewall.
PAN-121598
Fixed an issue where the PAN-OS XML API packet capture (pcap) export failed with the following error message:
Missing value for parameter device_name
. Now,
device_name
and
sessionid
are no longer required parameters.
PAN-119118
Fixed an issue where license and content error files received from the update and license servers were not saved to disk.
PAN-118468
(
VM-Series firewalls on VMware ESXi only
) Fixed an issue where the firewall stays in a boot loop and enters maintenance mode after adding a 60GB disk.
PAN-116843
Fixed an issue on Panorama where, when navigating through
Policies
, the following error message displayed:
show rule hit count op-command failed
.
PAN-115093
Fixed an issue where the firewall generated excessive logs for content decoder (CTD) errors.
PAN-114540
Fixed an issue where renaming a template stack did not change the value and reset to the original value after you commit the change.
PAN-114427
Fixed an issue where an empty host name in the HTTP header caused a web server process (
websrvr
) to stop responding when you accessed the captive portal redirect page.
PAN-112988
Fixed an issue where a process (
useridd
) leaked memory, which caused the firewall to drop traffic and display the following error message:
Out-of-memory condition detected, kill process
.
PAN-112539
Fixed an issue where the firewall stopped forwarding logs to the log collector from the Log Processing Card (LPC) after a commit push from Panorama due to a race condition.
PAN-112120
Fixed an issue where threat
Name
field of a threat
Custom Report
displayed the threat ID instead of the threat name.
PAN-111614
Fixed an issue with summary reports where displayed dates were incorrect due to the date range calculation not considering the change in year.
PAN-102202
Fixed an issue where the OSPF summary Link State Advertisement (LSA) for the default 0.0.0.0/0 route were not advertised by the Area Border Router (ABR).
PAN-98803
Fixed an issue where the IP address-to-tag mappings for Dynamic Address Groups did not display as expected on Panorama after you configured the Panorama plugin to monitor virtual machines or endpoints in your AWS, Azure, or Cisco ACI environment without installing the NSX plugin.
PAN-98694
Fixed an issue on a PA-5200 Series firewall in a high availability (HA) active/passive configuration where the firewall dropped TCP-FIN packets after a failover.

Recommended For You