PAN-OS 9.1.6 Addressed Issues

PAN-OS® 9.1.6 addressed issues.
Issue ID
Description
PAN-154166
(
VM-500 and later firewalls only
) A new CLI command was added to increase the number of threads for handling incoming GlobalProtect connection requests when there is a high login rate and a slow authentication response from an external server.
PAN-154114
A fix was made to address a vulnerability related to information exposure through log files in PAN-OS where secrets in PAN-OS XML API requests were logged in cleartext in the web server logs when the API was used incorrectly (CVE-2021-3036).
PAN-154093
Fixed an issue where a process (httpd) restarted during Security Assertion Markup Language (SAML) logout sessions initiated from the IdP.
PAN-153983
Fixed an issue where the IPSec encapsulation sequence was not properly synced to the dataplanes on a high availability (HA) active/passive cluster.
PAN-153874
Fixed a capacity issue caused by high operational activity and large configurations on Panorama. This fix increased the virtual memory limit on the configd process to 32GB.
PAN-153868
Fixed an issue where firewall forwarding logs to Cortex Data Lake displayed
License
as gray and device connectivity as
Error
under
Logging Service Status
.
PAN-153813
Fixed an issue where the proxy configuration did not get honored, which caused certificate revocation list (CRL) checks from the firewall to fail.
PAN-153673
Fixed an issue where traffic logs were not shown due to a thread timeout that was causing the reading of the logs from the dataplane to slow.
PAN-153440
Fixed an issue where firewalls repeatedly connected and disconnected to Cortex Data Lake due to a probing issue.
PAN-153436
Added CLI commands to increase thread limits to reduce task thread exhaustion on a process (configd).
PAN-153111
Fixed an issue where packet buffer unavailability caused host-bound sessions to remain in an opening state in the dataplane.
PAN-152706
Fixed an intermittent issue where Panorama did not retrieve firewall logs from Cortex Data Lake.
PAN-152440
Fixed an issue where the syntax on GlobalProtect DNS suffixes was not validated.
PAN-152282
Fixed an issue where platforms using AHO for content and application inspection run into dataplane process (all_pktproc) restarts.
PAN-152253
Fixed an issue where the Destination NAT with
DNS Rewrite
enabled and set to
forward
did not work when the destination IP address was a single IP address instead of an IP range.
PAN-152106
Fixed an issue where a process (genindex.sh) caused the management plane CPU usage to remain high for a longer period of time than expected.
PAN-152027
Fixed an issue with URL Filtering where websites that were previously in the malicious category but have since been cleared remained in the malicious category in the dataplane cache. These websites were moved to the benign category only after you manually cleared the cache.
PAN-152017
Fixed an issue where a VM-Series firewall on Amazon Web Services (AWS) failed on first reboot after enabling FIPS mode
PAN-151692
Fixed a permission issue where a Panorama administrator was unable to download or install dynamic updates (
Panorama > Device Deployment
).
PAN-151149
Fixed an issue where certificates, custom logos, and SAML metadata were unable to be uploaded from the web interface using a Chromium-based browser running version 84 or later.
PAN-150613
Fixed an issue that caused a process (mprelay) to stop responding when committing changes in the Netflow Server Profile configuration (
Device > Server Profiles > Netflow
).
PAN-150305
Fixed an issue where the output for
show user ip-user-mapping-mp all
, when called via XML API, was written to a file instead of returned via the API.
PAN-149912
Fixed an issue where FIB entries were unexpectedly removed due to miscommunication between internal processes.
PAN-149696
Fixed an intermittent issue where the GlobalProtect portal stopped responding with a 502 Bad Gateway response page when trying to access the portal URL using a web browser.
PAN-149295
Fixed an issue where the Safe Search Block Page was visible for a few seconds when browsing HTTP2 websites, which resulted in latency when browsing.
PAN-149248
Fixed an issue that prevented Panorama from pushing dynamic content to VM-Series firewalls configured with a pay-as-you-go (PAYG) license.
PAN-149217
Fixed an issue where overridden TCP timeout values for service-based sessions did not take effect, and sessions timed out according to default application values.
PAN-149054
Fixed an issue in Panorama where a commit-all to managed firewalls failed after renaming a device group.
PAN-149006
Fixed an issue on VM-Series firewalls deployed on Google Cloud Platform (GCP) where traffic was backhauled after a reboot when the policy-based forwarding (PBF) enforced symmetric return with a next hop feature was enabled and interface IP addresses were learned via DHCP.
PAN-149001
Fixed an issue where, when using certificate profiles configured under specific virtual systems (vsys), the GlobalProtect
Machine Certification Check
and
HIP Object
fail during a client certificate check.
PAN-148441
Fixed an issue where required processes were not automatically restarted on the Log Processing Card (LPC) or the Log Forwarding Card (LFC).
PAN-147847
Fixed an issue where traffic didn't hit the intended Security policy if SSL forward proxy was enabled and service was set to
application-default
.
PAN-147796
Fixed an issue on the firewalls with an IPsec/Encapuslating Security Payload (ESP) traffic with GlobalProtect gateway configuration where multiple processes (flow_ctrl, pktlog_forwarding, and all_task) restarted, which caused the device to reboot.
PAN-147529
Fixed an issue where
ValidateAll
jobs were incorrectly logged as
CommitAll
in the configuration log of the firewall.
PAN-147305
Fixed an issue where a process (useridd) stopped responding to requests.
PAN-147298
(
PA-7050 and PA-7080 firewalls with 100G NPC only
) Fixed an issue where jumbo frames brought down the Network Processing Card (NPC) when traffic traversed the firewall at a high rate.
PAN-147130
Fixed an issue where user-to-IP address mapping that was redistributed between virtual systems (vsys) was not removed when the XML API unique identifier (UID) payload was set to
timeout=Never
.
PAN-147036
Fixed an issue where TCP connections got stuck between the firewall and the Log Collector if some packets were dropped on the path between the two appliances.
PAN-146763
Fixed a configuration issue on a multi-vsys where the configured interface service route for email schedule reports was not being used.
PAN-146215
(
FPP offload based hardware model only
) Fixed an issue where, when UDP traffic that was received on a tunnel had back-to-back client-to-server packets, random packets dropped.
PAN-145996
An update was made to change the following system log message:
DO NOT CHOOSE WMI in Active-Directory FOR YOUR USE CASE IF SEE THIS LOG AGAIN IN <number> SECONDS
to
Please change server monitor(log server) Transport Protocol from WMI to WinRM for better performance
. This update also reduces the severity from
High
to
Informational
.
PAN-145524
Fixed an issue where
ACC > GlobalProtect Activity
on Panorama in management only mode with a dedicated log collector did not display any reports.
PAN-145475
Fixed an issue where the firewall sent Bidirectional Forwarding Detection (BFD) packets with the final bit always set to
on
. With this fix, the final bit is cleared after the first response.
PAN-145385
Fixed a rare issue where HTTP/2 sessions matched to an incorrect policy.
PAN-145188
Fixed an issue on Panorama in PAN-DB mode where content updates did not successfully install, which caused the cloud state to degrade.
PAN-144723
A new CLI command was added to better handle SSL-decrypted sessions where TCP port numbers were reused before the TIME_WAIT period expired.
PAN-144410
Debug logs were added to detect an out-of-memory (OOM) condition that caused the management server to restart.
PAN-143332
(
PA-800 Series firewalls only
) Fixed an issue where the deployment of the Master Key through the web interface failed.
PAN-142867
Fixed an issue where service session timeout override was not used for custom applications and the default value was chosen instead.
PAN-140492
Fixed an issue on the firewall where, with SSL forward proxy feature enabled, random file downloads over a decrypted session would stall or hang in the middle.
PAN-139007
Fixed an issue where
URL Filtering
logs were misaligned when exported from the firewall due to the presence of a comma in the
User-Agent
field of the logs.
PAN-138995
Fixed an issue where even after disabling
Tasks
in the web interface of an
Admin Role Profile
, the
Task Manager
panel appeared during a commit.
PAN-138926
Fixed an issue where an improperly formatted GlobalProtect Portal from the CLI was able to be created, which prevented it from being seeing in the web interface.
PAN-138573
Fixed an issue where the keyword
[Disabled]
was missing from the disabled policies exported in CSV/PDF format.
PAN-137741
Fixed an issue where the data for a botnet report was deleted before the botnet report was completed.
PAN-137671
Fixed an issue where testing and confirming server connections from
Panorama > Server profiles > HTTP > Test Server Connection
did not work.
PAN-136652
(
PA-3200 Series and PA-800 Series firewalls only
) Fixed an issue where you were unable to disable auto negotiation on small form-factor pluggable (SFP) ports.
PAN-135228
Fixed an issue where
Destination_Interface
(
Templates > Network > QoS > QoS Interface > Clear Text Traffic
) was not available when configuring QoS using the Panorama web interface.
PAN-134909
Fixed an issue where region information was not called due to a mismatch in uppercase and lowercase letters in the region name.
PAN-134840
Fixed an issue where pre-logon users failed authentication if the cookie was expired, instead of using certificate authentication.
PAN-134467
Fixed an issue with the GlobalProtect portal where pre-logon authentication failed when agent Config Selection Critiera was configured on the firewall.
PAN-134251
(
PA-7000 Series firewalls only
) Fixed an issue where unplugging cables from Quad Small Form-factor Pluggable (QSFP) interfaces on 100G NPC causes path monitoring failures.
PAN-133774
Fixed an issue where the
Logging Services Status
was incorrect. This was caused by the namespace of the daemons that were running not being updated correctly.
PAN-133388
Fixed an issue where an HA configuration went out of sync when the HA sync job was queued and processed during an ongoing content installation job on the passive firewall.
PAN-132055
Fixed an issue where a process (mgmtsrvr) was unresponsive when the number of active file descriptors was greater than 1024.
PAN-132053
Added an enhancement to improve handling for firewall management web interface sessions that timeout so that the message
Your session has expired
does not display. Now, the web interface will present a timeout page that presents a button to redirect back to the login page.
PAN-121484
Fixed an issue where the dataplane sent positive acknowledgments to predict-status checks from FPP when the corresponding predict was deleted, which caused SIP and RTSP applications to perform less than the expected achievable performance.
PAN-110511
Fixed an issue where a passive Panorama appliance reported that device groups were out of sync despite a successful HA sync from the active Panorama appliance. This issue occurred when the address objects defined in the device group were in use under the corresponding template.
PAN-109877
Fixed an issue where BGP flapped continuously with Jumbo Frames enabled on the firewall.

Recommended For You