PAN-OS 9.1.7 Addressed Issues

PAN-OS® 9.1.7 addressed issues.
Issue ID
Fixed an issue with GPRS tunneling protocol (GTP) event packet capture (pcap) where enabling
Packet Capture
did not work.
Fixed an issue where multiple all_pktoproc daemons restarted while processing HTTP/2 traffic in sw_offload.
Fixed an issue where a host information profile (HIP) report XML buffer caused a memory leak.
Fixed an issue where a sudden increase in URL-cloud data challenged the cache capacity of the device.
Fixed an issue in the configuration logs where the destination zone was masked by asterisks.
Fixed an issue where user information in the Clientless VPN wasn't handled properly in high availability (HA) configurations, which resulted in the firewall being unable to create more user sessions.
Fixed an issue in Panorama where frequent API requests caused the Panorama web interface to become unresponsive. This issue occurred because the web interface automatically refreshed after each request.
Fixed an issue where auto-commits failed for VM-Series firewalls bootstrapped with new content installation during bootstrap. The firewalls displayed the following error message:
Details:Error: Undefined application <application-name>
Fixed an issue in dpdk code that cause a system restart on a process (brdagent).
PA-7000 Series firewalls with 100G NPC (Network Processing Cards) only
) Fixed an issue where multicast groups were not set correctly, which caused ARP entries to display as
and not update to correct values.
Fixed an issue for VM-Series firewalls deployed on Azure where a process (pan_comm) restarted if DPDK was on.
Fixed an issue where using XML API to download pcap did not work if the pcap file was larger than 8MB.
Fixed an issue where a dataplane process stopped responding while processing fragmented traffic on GTP-U tunnels.
Fixed an issue where a content update caused the Panorama XML cache build to fail. This resulted references of the used objects on Panorama being removed, which caused commits on the managed firewalls to fail.
Fixed an issue where role-based administrators were unable to import certificate key pairs onto firewalls.
Fixed an issue where the firewall dropped GTPv2-x Create Session Response packets with the following error message:
bad port 84b
Fixed an issue where, when initial flows from both directions reached the firewall at the same time, a race condition occurred, which caused the firewall to display the following error message:
Duplicate flows detected while inserting <number>, flow <number> with the same key
. The flow keys were identical due to the flows having the same SRC and DST ports.
Fixed an issue where the Policy Optimizer for some device groups showed incorrect data with a
character in the rule usage column.
Fixed an issue where MAC addresses containing certain characters in sequential order caused an issue with TCP connections
Fixed an issue where the number of items under
Add match criteria
for Dynamic Address Groups did not update after setting a search filter string.
Fixed an issue where the firewall changed the TTL (time-to-live) value in DNS responses to 0 when the firewall failed to resolve the DNS Security service, which caused a large amount of DNS requests to be sent to the DNS server.
Fixed an issue where user activity reports failed to run when the firewall was in FIPS mode.
Fixed an issue where, when an out-of-order stream of TCP packets was subjected to HTTP header insertion, the packets were duplicated.
Fixed an issue on firewalls with HA active/active configurations where GlobalProtect gateways timed out on-demand connections. This occurred because the
Inactivity Logout
timer did not reset.
Fixed an issue where an XML API call to display configuration logs truncated the
field of the logs if the entry had more than 64 characters.
Fixed an issue where the dynamic address group learned in the parent dynamic group was not pushed to the child dynamic address group if the child dynamic address group was not configured with
notify groups
under the respective plugin.
When using the CLI command
debug dau settings device-group recursive yes/no
, clear previous dynamic address group entries from the Panorama database using the CLI command
debug dau clear database device-group <dynamic address group name>
for all dynamic address groups under the hierarchy for the dynamic address group configured in the monitoring definition. Also, do a full sync from the plugins configured using the command
request plugins <plugin-name> sync
Fixed a rare issue with HTTP/2 decryption that caused packet header bytes to be corrupted, which caused packet drops.
Fixed an issue with SMTP that occurred when attachment file names were longer than the allocated buffer. If the file name was longer than the buffer and Layer 7 inspection was enabled, the file was dropped, which caused session errors and an email to not be sent.
Fixed an issue on the firewall where GlobalProtect Clientless VPN portal landing page customization for the
variable did not take effect.
Fixed an issue where a Panorama virtual appliance was unable to manage more than 2,500 firewalls when 28 or more CPU cores were available.
Fixed an issue in a virtual wire deployment configured with
Link State Pass Through
enabled where, when one member port went down, the peer port took longer than expected to change the status to
Fixed an issue where firewalls stopped refreshing IP tag information when configured with the
VM Information Sources
feature with a VMWare vCenter Server.
Fixed an issue where, after a change in Security policies, traffic logs for inner GTP-U sessions did not show
fields following a commit.
Fixed an issue where, when an ECMP route changed, the flow table in the offload engine was not updated.
Fixed an issue where the
show gtp info
CLI command returned an error.
Fixed a buffer overflow issue on the management server, which forced the administrator to log out on the web interface.
Fixed an issue where the
clear log acc
CLI command did not remove URL summary logs.
Fixed an issue where the first SYN message of an FTP-DATA connection was dropped on non-session-owner appliances in an HA active/active configuration.
Fixed an issue where the decryption profile was configured without the
Block sessions with expired certificates
option, but the firewall still blocked websites that were signed by an Expired AddTrust Root CA (certificate authority).
Fixed an issue where the firewall incorrectly created GTP-U sessions from Create Session Request and Create Session Response packets.
Fixed an issue where the last commit state did not change to
config sent to device
when pushing a device group configuration in the
Managed Device > Summary
page on Panorama.
Fixed an issue where the firewall management server crashed when a report with a duration of 7 or more days was run.
Fixed an issue where firewall buffers were depleted with GTP traffic due to the mishandling of conflicting sessions.
VM-Series firewalls only
) Fixed an issue where a memory leak occurred on a process (vm_agent) due to host synchronization check.
Fixed an issue where the firewall was unable to properly create stream control transmission protocol (SCTP) sessions for multi-homed environments when multiple endpoints on the same SCTP associations sent INIT/INIT-ACK chunks during handshakes.
Fixed an issue in a multi-vsys environment where the firewall dropped RTP predict sessions and was unable to match them to their parent sessions due to a zone change.
Fixed an issue where virtual memory of a process (configd) continuously increased until it stopped responding.
Fixed an memory leak issue in a process (configd) that caused the firewall to be inaccessible.
Fixed an issue where administrators were logged out of the web interface while making changes.
Fixed an issue where the
filters were usable even though they did not return configuration logs.
Removed the fields
device SN
device name
on Panorama from the predefined filter used in
Log Forwarding
Log Settings
Fixed an issue where Cortex Data Lake traffic was identified as
instead of
Fixed an issue where logs were not forwarded to the syslog server with the following error message:
profile: Syslog (1) is duplicated
Fixed an issue where authenticating to GlobalProtect via expired SAML requests (waiting more than 10 minutes) still sent authentication to the SAML server. This invalidated the previously connected gateway and connected users to the second best gateway.
Fixed an issue where the internal SQLite3 database was locked, which caused a process (useridd) to stop responding and group mapping retrieval to fail. This issue also caused the group mapping list to not display from the CLI.
Fixed an issue where a process (all_task_3) restarted, which caused the tunnels to reset.
PA-7000 Series firewalls only
) Fixed an issue where firewalls were unable to start up a Network Processing Card (NCP) due to a process (brdagent) restarting repeatedly.
Fixed an issue where a high volume of traffic over SSL VPN caused a process (all_pktproc) to unexpectedly stop responding.
Fixed an issue where the
Group found
flag was set to
on User-ID logs on the web interface, even when the user belonged to a group retrieved from the Active Directory (AD) server.
Fixed an issue where the firewall intermittently logged incorrect actions for WildFire submissions and reports.

Recommended For You