PAN-OS 9.1.5 Addressed Issues

PAN-OS® 9.1.5 addressed issues.
Issue ID
Added an enhancement that provides an option to increase Data Plane Development Kit (DPDK) ring size and DPDK queue number for VM-Series firewalls deployed on ESXi.
Fixed an issue where the firewall added a redundant
packet while processing Clientless VPN traffic.
Fixed an issue where certain GPRS tunneling protocol (GTP-U) sessions that could not complete installation still occupied the flow table, which led to higher session table usage.
Fixed an issue where the firewall dropped certain GTPv1 Update PDP Context packets.
Fixed an issue where logs weren't able to be migrated from PA-5200 Series firewalls manually via the CLI.
Fixed an issue where upgrading the capacity license on a virtual machine (VM) high availability (HA) pair resulted in both firewalls going into a non-functional state instead of only the higher capacity license firewall.
PA-5200 and PA-7000 Series firewalls only
) Fixed an intermittent issue where the firewall dropped packets when two or more GTP packets on the same GTP tunnel were very close to each other.
Fixed an issue where the firewall silently dropped GTPv2-C Delete Session Response packets.
Fixed an issue where the firewall dropped GTP packets with Delete Bearer messages for EBI 6 if they were received within two seconds of receiving the Delete Bearer messages for EBI 5.
Fixed an issue where after a successful commit, the candidate configuration was not updated to running configuration when initiated by an API-privileges-only custom role based administrator.
PA-7000 Series firewalls only
) Added CLI commands to enable/disable resource-control groups and CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr). To enable resource-control groups, use
debug software resource-control enable
and to disable them, use
debug software resource-control disable
. To set the memory limit, use
debug management-server limit-memory enable
, and to remove the limit, use
debug management-server limit-memory disable
. For the memory limit change to take effect, the firewall must be rebooted.
Fixed an issue where the reply to an XML API call from Panorama was in a different format after upgrading to PAN-OS 8.1.14-h1 and later releases, which caused automated systems to fail the API call.
Fixed an issue with debug file handling that led to a process (mgmtsrvr) restart.
Fixed an issue where, if Panorama was connected to log collectors running an earlier release, a custom report query from Panorama, which includes new fields not supported in prior releases, triggered a restart on a process (reportd).
Fixed an issue where non-superuser administrators with all rights enabled were unable to
Review Policies
Review Apps
for downloaded or installed content versions.
Fixed an issue on Panorama where the web interface took more time than expected to load changes when the virtual router was large or when there was a large configuration change request from the web interface.
Fixed an issue on Panorama where system and configuration logs of dedicated Log Collectors did not show up on Panorama appliances in Management Only mode.
Fixed an issue where the CLI command
Show config running
following the CLI command
set cli op-command-xml-output on
produces an unreadable output.
Fixed an issue where XML API failed to fetch logs larger than 10MB.
Fixed an issue where Panorama stopped showing new logs when
was in the URL payload format of the HTTP(S) server profile used to forward URL logs from the Panorama Log Collector.
Fixed an issue where the object identifier (OID) being polled for the component
was not unique after a PAN-OS upgrade.
Fixed an issue where an API call for correlated events did not return any events.
Fixed an issue where, after a policy commit and session rematch, stream control transmission protocol (SCTP) logs for an existing SCTP session still showed old rule information.
Fixed an issue where host information profile (HIP) details were not available on Panorama even when a HIP redistribution configuration was in place.
Fixed an issue where TCP traffic dropped due to TCP sequence checking in an HA active/active configuration where traffic was asymmetric.
Fixed an issue in Panorama where a commit-all to the managed firewalls failed with the following error message:
invalid object reference
when address objects were uploaded using an external script.
Fixed an issue where traffic incorrectly matched URL based authentication policies.
A fix was made to address an authentication bypass vulnerability in the GlobalProtect SSL VPN component of PAN-OS that allowed an attacker to bypass all client certificate checks with an invalid certificate. As a result, the attacker was able to authenticate as any user and gain access to restricted VPN network resources when the gateway or portal was configured to rely only on certificate-based authentication (CVE-2020-2050).
Fixed an issue where a GlobalProtect client in a system with umlaut diacritics serial number was unable to log in to the GlobalProtect gateway.
Fixed an issue where memory usage on a process (useridd) was high, which caused the process to restart on the firewall acting as the User-ID redistribution agent. This issue occurred when multiple clients requested IP address-to-user mappings at the same time.
Fixed an issue where Application and Threat Content installation failed on the firewall with the following error message:
Error: Threat database handler failed
Fixed an issue on the firewalls where memory usage on a process (devsrvr) increased after running the
show object dynamic-address-group all
CLI command.
Fixed an issue where GlobalProtect IPsec connections flapped when the peer address to the gateway changed due to NAT.
Fixed an issue where memory allocation failure caused a process (pan_comm) to restart several times, which caused the firewall to restart.
Fixed an issue where BGP learned routes were incorrectly populated with a VR error as a next hop.
Fixed an issue on the firewalls where a process (all_pktproc) restarted while processing Session Traversal Utilities for NAT (STUN) over TCP.
Fixed an issue where exporting policies to PDF or CSV files did not include all policies and contained duplicates.
Fixed an issue where Application Command Center (ACC) data did not load when accessed from the
Top Applications
widget in the
Fixed an issue on the firewalls where traffic originating from a GlobalProtect user did not match HIP-based Security policies using the cached HIP report. Instead, the traffic was denied until the GlobalProtect agent submitted a new HIP report about 20 seconds later.
Fixed an issue where an inconsistent PAN-DB cloud connection caused the firewall to negotiate the incorrect version and decode the cloud responses with the incorrect format.
A fix was made to address a vulnerability in the PAN-OS signature-based threat detection engine that allowed an attacker to evade threat prevention signatures using specifically crafted TCP packets (CVE-2020-1999).
Fixed an issue on the firewalls where a process (all_task) stopped responding.
Fixed an issue on an M-600 appliance where the Panorama management server stopped receiving new logs from firewalls because delayed log purging caused log storage on the Log Collectors to reach maximum capacity.
Fixed an issue with the automated correlation engine that caused firewalls to stop generating correlated event logs for the
object (ID 6005).
Fixed an issue where, when any change was made to an authentication profile, the LDAP server or local user database in a shared context removed the user group mapping information from the firewall.
Fixed an issue on Panorama where a custom administrator with all rights enabled was not able to display the content of the external dynamic list (EDL) on the Panorama web interface.
Fixed an issue where Log Collectors had problems ingesting logs for older days received at a high rate.
Fixed an issue where commits failed on the firewall due to memory allocation failure. Configuration memory can be checked using the
debug dataplane show cfg-memstat statistics
CLI command.
PA-7000 Series firewalls only
) Fixed an issue with intermittent packet loss for GlobalProtect SSL tunnel traffic.
Fixed an issue on Panorama where creating certificates took longer than expected, which caused configuration lock timeouts.
Fixed an issue where a process (mprelay) stopped responding and invoked an out-of-memory (OOM) killer condition and displayed the following error messages: `tcam full` and
Fixed an issue where a Panorama log query did not work for closed indices.
Fixed an issue where random member ports in a link aggregate group failed to join the aggregate group due to the following error:
Link speed mismatch
Fixed an issue that prevented GTP tunnel session timeout values from being configured via the web interface.
Fixed an issue where Panorama did not show correct logs filtered with
, and
Fixed an issue where an administrative user using custom admin roles and without access to the
tab was unable to expand the detailed views of
Monitor > Logs
Fixed an issue where SSH service restart management did not take effect in the SSH management server profile.
Fixed an issue where a large certificate chain transmission delayed the decryption process and did not populate the mutual authentication cache.
Fixed an issue where IP address-to-tag mapping entries had negative time-to-live (TTL) values instead of being removed after expiry.
Fixed an issue where, after rebooting the firewall, the SNMP object identifier (OID) for TCP connections per second (panVsysActiveTcpCps / . returned 0 until another OID was pulled. Additionally, after a restart of a daemon (snmpd), if the above OID was called before other OIDs, there was an approximate 10 second delay in populating the data pulled by each OID.
Fixed an issue where configuration synchronization failed in an HA configuration.
Fixed an issue where the Host Evasion Threat ID signature did not trigger for the initial session even after the DNS response was received before the session expired.
PA-7000 Series firewalls only
) Fixed a rare issue where the firewall rebooted due to path monitoring failure on the Log Processing Card (LPC).
Fixed an issue where a high number of groups in group mapping caused a process (useridd) to exit.
Fixed an issue where
Detailed Log View
Monitor > Logs > Traffic
) did not display the URL filtering logs as expected on HTTP/2 stream sessions.
PA-3200 Series firewalls only
) Fixed an issue where the default Dynamic IP and Port (DIPP) NAT oversubscription rate was set as 2.
Fixed an issue where the web interface and the CLI were inaccessible, which caused the following error message to display on the web interface:
Timed out while getting config lock
Fixed an issue where HIP reports failed to show up via the web interface or the CLI.
Fixed an issue where a large number of groups in group mappings caused a process (useridd) to exit.
Fixed an issue where pushing a configuration from a Panorama management server running PAN-OS 9.0 to a firewall running PAN-OS 8.1 produced a HTTP/2 warning. To leverage this fix, update both Panorama and the firewall to PAN-OS 9.1.5.
Fixed a cosmetic issue where misleading App-ID and rule shadowing warnings populated after a commit.
Fixed an issue where Panorama became inaccessible with the following error message:
Timed out while getting config lock
Fixed an issue where the serial number was unknown for VM-Series firewalls after upgrading from PAN-OS 8.0 to PAN-OS 8.1.
Fixed an issue where the paths between the control plane and the dataplanes in network processing cards (NPCs) stalled in the dataplane-to-control plane direction due to the Ring Descriptor entries becoming out of sync on each side. This produced unrecoverable data path monitoring failures, which caused the chassis to become nonfunctional.
Fixed an issue in Panorama where the template stack drop-down was missing templates when using access domain. This issue is fixed only for existing template stacks.
Fixed an issue where IP tags were not evaluated in the filter evaluation criteria when Dynamic Address Groups were configured.
Fixed an issue where Panorama commits failed due to a process (useridd) running on high file descriptors as a large number firewalls connect to Panorama for User-ID redistribution.
Fixed an issue where
for HA1 and High Speed Chassis Interconnect (HSCI) interfaces were incorrectly reported.
Fixed an intermittent issue where user-to-IP address mappings were not redistributed to client firewalls.
Fixed an issue where a configuration push from Panorama to the firewall showed the
Commit All
status as completed even though the job was still being processed.
Fixed an issue where templates on the secondary Panorama appliance were out of sync with the primary Panorama appliance due to an empty content-preview node.
PA-220 firewalls only
) Fixed an issue where rx-broadcast and rx-multicast interface counters were not increasing even broadcast and/or multicast traffic was being received.
Fixed a memory leak issue where virtual memory used by the SNMP process started to slowly increase when the request was sent with a
of 0.
PA-800 Series firewalls only
) Fixed an issue that prevented ports 9-12 from being powered down by hardware after being requested to do so.
Fixed an issue where syslog connection failures were frequently reported in system logs.
Fixed an issue where certificate-based authentication with IKEv2 IPSec tunnels failed to establish with some third-party vendors.
Fixed an issue where the XML API used to retrieve hardware status periodically failed with a 200 OK message and no data.
A fix was made to address an information exposure vulnerability in Panorama that disclosed the token for the Panorama web interface administrator's session to a managed device when the Panorama administrator performed a context switch (CVE-2020-2022).
A fix was made to address a vulnerability where Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls were not cleared before the data frame was created (CVE-2021-3031).
Added support of high powered module PAN-QSFP28-100GBASE-ER4.
Fixed an issue on Panorama where WildFire cloud content download failed for content deployment to the WF-500 appliance.
Fixed an issue where template variable view failed to display some template variables when the
Device Priority
type variable was configured.
Fixed an issue where removing a cipher from an SSL/TLS profile did not take effect if it was attached to the management interface.
Fixed an issue that caused a daemon (snmpd) to hang when sending a Simple Network Management Protocol (SNMP) GET request for
on a Panorama appliance in Management Only mode.
Fixed an issue where mounting failure occurred and root partition reached 100%.
Fixed an issue where the firewall and Panorama web interface did not present HSTS headers to your web browser.
Fixed an issue where, when defining the match criteria for dynamic address groups on Panorama, the boolean AND/OR operators did not function properly.

Recommended For You