PAN-OS 9.1.5 Addressed Issues

PAN-OS® 9.1.5 addressed issues.
Issue ID
Description
PAN-154092
Added an enhancement that provides an option to increase Data Plane Development Kit (DPDK) ring size and DPDK queue number for VM-Series firewalls deployed on ESXi.
PAN-152699
Fixed an issue where the firewall added a redundant
0\r\n
packet while processing Clientless VPN traffic.
PAN-152285
Fixed an issue where certain GPRS tunneling protocol (GTP-U) sessions that could not complete installation still occupied the flow table, which led to higher session table usage.
PAN-151203
Fixed an issue where the firewall dropped certain GTPv1 Update PDP Context packets.
PAN-151164
Fixed an issue where logs weren't able to be migrated from PA-5200 Series firewalls manually via the CLI.
PAN-151057
Fixed an issue where upgrading the capacity license on a virtual machine (VM) high availability (HA) pair resulted in both firewalls going into a non-functional state instead of only the higher capacity license firewall.
PAN-150750
(
PA-5200 and PA-7000 Series firewalls only
) Fixed an intermittent issue where the firewall dropped packets when two or more GTP packets on the same GTP tunnel were very close to each other.
PAN-150748
Fixed an issue where the firewall silently dropped GTPv2-C Delete Session Response packets.
PAN-150746
Fixed an issue where the firewall dropped GTP packets with Delete Bearer messages for EBI 6 if they were received within two seconds of receiving the Delete Bearer messages for EBI 5.
PAN-150243
Fixed an issue where after a successful commit, the candidate configuration was not updated to running configuration when initiated by an API-privileges-only custom role based administrator.
PAN-149839
(
PA-7000 Series firewalls only
) Added CLI commands to enable/disable resource-control groups and CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr). To enable resource-control groups, use
debug software resource-control enable
and to disable them, use
debug software resource-control disable
. To set the memory limit, use
debug management-server limit-memory enable
, and to remove the limit, use
debug management-server limit-memory disable
. For the memory limit change to take effect, the firewall must be rebooted.
PAN-149813
Fixed an issue where the reply to an XML API call from Panorama was in a different format after upgrading to PAN-OS 8.1.14-h1 and later releases, which caused automated systems to fail the API call.
PAN-149770
Fixed an issue with debug file handling that led to a process (mgmtsrvr) restart.
PAN-149480
Fixed an issue where, if Panorama was connected to log collectors running an earlier release, a custom report query from Panorama, which includes new fields not supported in prior releases, triggered a restart on a process (reportd).
PAN-149426
Fixed an issue where non-superuser administrators with all rights enabled were unable to
Review Policies
or
Review Apps
for downloaded or installed content versions.
PAN-149325
Fixed an issue on Panorama where the web interface took more time than expected to load changes when the virtual router was large or when there was a large configuration change request from the web interface.
PAN-149296
Fixed an issue on Panorama where system and configuration logs of dedicated Log Collectors did not show up on Panorama appliances in Management Only mode.
PAN-149008
Fixed an issue where the CLI command
Show config running
following the CLI command
set cli op-command-xml-output on
produces an unreadable output.
PAN-149005
Fixed an issue where XML API failed to fetch logs larger than 10MB.
PAN-148564
Fixed an issue where Panorama stopped showing new logs when
url_category_list
was in the URL payload format of the HTTP(S) server profile used to forward URL logs from the Panorama Log Collector.
PAN-148087
Fixed an issue where the object identifier (OID) being polled for the component
hrStorageUsed
was not unique after a PAN-OS upgrade.
PAN-147741
Fixed an issue where an API call for correlated events did not return any events.
PAN-147595
Fixed an issue where, after a policy commit and session rematch, stream control transmission protocol (SCTP) logs for an existing SCTP session still showed old rule information.
PAN-147285
Fixed an issue where host information profile (HIP) details were not available on Panorama even when a HIP redistribution configuration was in place.
PAN-146878
Fixed an issue where TCP traffic dropped due to TCP sequence checking in an HA active/active configuration where traffic was asymmetric.
PAN-146841
Fixed an issue in Panorama where a commit-all to the managed firewalls failed with the following error message:
invalid object reference
when address objects were uploaded using an external script.
PAN-146787
Fixed an issue where traffic incorrectly matched URL based authentication policies.
PAN-146650
A fix was made to address an authentication bypass vulnerability in the GlobalProtect SSL VPN component of PAN-OS that allowed an attacker to bypass all client certificate checks with an invalid certificate. As a result, the attacker was able to authenticate as any user and gain access to restricted VPN network resources when the gateway or portal was configured to rely only on certificate-based authentication (CVE-2020-2050).
PAN-146623
Fixed an issue where a GlobalProtect client in a system with umlaut diacritics serial number was unable to log in to the GlobalProtect gateway.
PAN-146506
Fixed an issue where memory usage on a process (useridd) was high, which caused the process to restart on the firewall acting as the User-ID redistribution agent. This issue occurred when multiple clients requested IP address-to-user mappings at the same time.
PAN-146284
Fixed an issue where Application and Threat Content installation failed on the firewall with the following error message:
Error: Threat database handler failed
.
PAN-146117
Fixed an issue on the firewalls where memory usage on a process (devsrvr) increased after running the
show object dynamic-address-group all
CLI command.
PAN-146115
Fixed an issue where GlobalProtect IPsec connections flapped when the peer address to the gateway changed due to NAT.
PAN-146107
Fixed an issue where memory allocation failure caused a process (pan_comm) to restart several times, which caused the firewall to restart.
PAN-145823
Fixed an issue where BGP learned routes were incorrectly populated with a VR error as a next hop.
PAN-145757
Fixed an issue on the firewalls where a process (all_pktproc) restarted while processing Session Traversal Utilities for NAT (STUN) over TCP.
PAN-145752
Fixed an issue where exporting policies to PDF or CSV files did not include all policies and contained duplicates.
PAN-145721
Fixed an issue where Application Command Center (ACC) data did not load when accessed from the
Top Applications
widget in the
Dashboard
.
PAN-145507
Fixed an issue on the firewalls where traffic originating from a GlobalProtect user did not match HIP-based Security policies using the cached HIP report. Instead, the traffic was denied until the GlobalProtect agent submitted a new HIP report about 20 seconds later.
PAN-145305
Fixed an issue where an inconsistent PAN-DB cloud connection caused the firewall to negotiate the incorrect version and decode the cloud responses with the incorrect format.
PAN-145133
A fix was made to address a vulnerability in the PAN-OS signature-based threat detection engine that allowed an attacker to evade threat prevention signatures using specifically crafted TCP packets (CVE-2020-1999).
PAN-145041
Fixed an issue on the firewalls where a process (all_task) stopped responding.
PAN-144919
Fixed an issue on an M-600 appliance where the Panorama management server stopped receiving new logs from firewalls because delayed log purging caused log storage on the Log Collectors to reach maximum capacity.
PAN-144448
Fixed an issue with the automated correlation engine that caused firewalls to stop generating correlated event logs for the
beacon-heuristics
object (ID 6005).
PAN-144232
Fixed an issue where, when any change was made to an authentication profile, the LDAP server or local user database in a shared context removed the user group mapping information from the firewall.
PAN-143959
Fixed an issue on Panorama where a custom administrator with all rights enabled was not able to display the content of the external dynamic list (EDL) on the Panorama web interface.
PAN-143809
Fixed an issue where Log Collectors had problems ingesting logs for older days received at a high rate.
PAN-143796
Fixed an issue where commits failed on the firewall due to memory allocation failure. Configuration memory can be checked using the
debug dataplane show cfg-memstat statistics
CLI command.
PAN-143010
(
PA-7000 Series firewalls only
) Fixed an issue with intermittent packet loss for GlobalProtect SSL tunnel traffic.
PAN-142562
Fixed an issue on Panorama where creating certificates took longer than expected, which caused configuration lock timeouts.
PAN-142363
Fixed an issue where a process (mprelay) stopped responding and invoked an out-of-memory (OOM) killer condition and displayed the following error messages: `tcam full` and
pan_plfm_fe_cp_arp_delete
.
PAN-142219
Fixed an issue where a Panorama log query did not work for closed indices.
PAN-141980
Fixed an issue where random member ports in a link aggregate group failed to join the aggregate group due to the following error:
Link speed mismatch
.
PAN-141895
Fixed an issue that prevented GTP tunnel session timeout values from being configured via the web interface.
PAN-141793
Fixed an issue where Panorama did not show correct logs filtered with
not
,
leq
, and
geq
.
PAN-141717
Fixed an issue where an administrative user using custom admin roles and without access to the
Device
tab was unable to expand the detailed views of
Monitor > Logs
.
PAN-141551
Fixed an issue where SSH service restart management did not take effect in the SSH management server profile.
PAN-141296
Fixed an issue where a large certificate chain transmission delayed the decryption process and did not populate the mutual authentication cache.
PAN-140900
Fixed an issue where IP address-to-tag mapping entries had negative time-to-live (TTL) values instead of being removed after expiry.
PAN-140883
Fixed an issue where, after rebooting the firewall, the SNMP object identifier (OID) for TCP connections per second (panVsysActiveTcpCps / .1.3.6.1.4.1.25461.2.1.2.3.9.1.6.1) returned 0 until another OID was pulled. Additionally, after a restart of a daemon (snmpd), if the above OID was called before other OIDs, there was an approximate 10 second delay in populating the data pulled by each OID.
PAN-140736
Fixed an issue where configuration synchronization failed in an HA configuration.
PAN-140382
Fixed an issue where the Host Evasion Threat ID signature did not trigger for the initial session even after the DNS response was received before the session expired.
PAN-140227
(
PA-7000 Series firewalls only
) Fixed a rare issue where the firewall rebooted due to path monitoring failure on the Log Processing Card (LPC).
PAN-140173
Fixed an issue where a high number of groups in group mapping caused a process (useridd) to exit.
PAN-140100
Fixed an issue where
Detailed Log View
(
Monitor > Logs > Traffic
) did not display the URL filtering logs as expected on HTTP/2 stream sessions.
PAN-140084
(
PA-3200 Series firewalls only
) Fixed an issue where the default Dynamic IP and Port (DIPP) NAT oversubscription rate was set as 2.
PAN-139991
Fixed an issue where the web interface and the CLI were inaccessible, which caused the following error message to display on the web interface:
Timed out while getting config lock
.
PAN-139233
Fixed an issue where HIP reports failed to show up via the web interface or the CLI.
PAN-139136
Fixed an issue where a large number of groups in group mappings caused a process (useridd) to exit.
PAN-138427
Fixed an issue where pushing a configuration from a Panorama management server running PAN-OS 9.0 to a firewall running PAN-OS 8.1 produced a HTTP/2 warning. To leverage this fix, update both Panorama and the firewall to PAN-OS 9.1.5.
PAN-137663
Fixed a cosmetic issue where misleading App-ID and rule shadowing warnings populated after a commit.
PAN-137157
Fixed an issue where Panorama became inaccessible with the following error message:
Timed out while getting config lock
.
PAN-135989
Fixed an issue where the serial number was unknown for VM-Series firewalls after upgrading from PAN-OS 8.0 to PAN-OS 8.1.
PAN-135354
Fixed an issue where the paths between the control plane and the dataplanes in network processing cards (NPCs) stalled in the dataplane-to-control plane direction due to the Ring Descriptor entries becoming out of sync on each side. This produced unrecoverable data path monitoring failures, which caused the chassis to become nonfunctional.
PAN-135071
Fixed an issue in Panorama where the template stack drop-down was missing templates when using access domain. This issue is fixed only for existing template stacks.
PAN-134907
Fixed an issue where IP tags were not evaluated in the filter evaluation criteria when Dynamic Address Groups were configured.
PAN-134745
Fixed an issue where Panorama commits failed due to a process (useridd) running on high file descriptors as a large number firewalls connect to Panorama for User-ID redistribution.
PAN-134226
Fixed an issue where
AdminStatus
for HA1 and High Speed Chassis Interconnect (HSCI) interfaces were incorrectly reported.
PAN-133934
Fixed an intermittent issue where user-to-IP address mappings were not redistributed to client firewalls.
PAN-131750
Fixed an issue where a configuration push from Panorama to the firewall showed the
Commit All
status as completed even though the job was still being processed.
PAN-130955
Fixed an issue where templates on the secondary Panorama appliance were out of sync with the primary Panorama appliance due to an empty content-preview node.
PAN-130389
(
PA-220 firewalls only
) Fixed an issue where rx-broadcast and rx-multicast interface counters were not increasing even broadcast and/or multicast traffic was being received.
PAN-130357
Fixed a memory leak issue where virtual memory used by the SNMP process started to slowly increase when the request was sent with a
request-id
of 0.
PAN-129376
(
PA-800 Series firewalls only
) Fixed an issue that prevented ports 9-12 from being powered down by hardware after being requested to do so.
PAN-129234
Fixed an issue where syslog connection failures were frequently reported in system logs.
PAN-128048
Fixed an issue where certificate-based authentication with IKEv2 IPSec tunnels failed to establish with some third-party vendors.
PAN-126353
Fixed an issue where the XML API used to retrieve hardware status periodically failed with a 200 OK message and no data.
PAN-125218
A fix was made to address an information exposure vulnerability in Panorama that disclosed the token for the Panorama web interface administrator's session to a managed device when the Panorama administrator performed a context switch (CVE-2020-2022).
PAN-124681
A fix was made to address a vulnerability where Ethernet packets on PA-200, PA-220, PA-500, PA-800, PA-2000 Series, PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls were not cleared before the data frame was created (CVE-2021-3031).
PAN-121035
Added support of high powered module PAN-QSFP28-100GBASE-ER4.
PAN-120245
Fixed an issue on Panorama where WildFire cloud content download failed for content deployment to the WF-500 appliance.
PAN-119982
Fixed an issue where template variable view failed to display some template variables when the
Device Priority
type variable was configured.
PAN-115541
Fixed an issue where removing a cipher from an SSL/TLS profile did not take effect if it was attached to the management interface.
PAN-112449
Fixed an issue that caused a daemon (snmpd) to hang when sending a Simple Network Management Protocol (SNMP) GET request for
LcLogUsageTable
on a Panorama appliance in Management Only mode.
PAN-110423
Fixed an issue where mounting failure occurred and root partition reached 100%.

Recommended For You