PAN-OS 9.1.7 Addressed Issues
PAN-OS® 9.1.7 addressed issues.
Fixed an issue with GPRS tunneling protocol (GTP) event packet capture (pcap) where enabling
Packet Capturedid not work.
Fixed an issue where a host information profile (HIP) report XML buffer caused a memory leak.
Fixed an issue where a sudden increase in URL-cloud data challenged the cache capacity of the device.
Fixed an issue in the configuration logs where the destination zone was masked by asterisks.
Fixed an issue where user information in the Clientless VPN wasn't handled properly in high availability (HA) configurations, which resulted in the firewall being unable to create more user sessions.
Fixed an issue in Panorama where frequent API requests caused the Panorama web interface to become unresponsive. This issue occurred because the web interface automatically refreshed after each request.
Fixed an issue where auto-commits failed for VM-Series firewalls bootstrapped with new content installation during bootstrap. The firewalls displayed the following error message:
Details:Error: Undefined application <application-name>.
PA-7000 Series firewalls with 100G NPC (Network Processing Cards) only) Fixed an issue where multicast groups were not set correctly, which caused ARP entries to display as
incompleteand not update to correct values.
Fixed an issue where using XML API to download pcap did not work if the pcap file was larger than 8MB.
Fixed an issue where a dataplane process stopped responding while processing fragmented traffic on GTP-U tunnels.
Fixed an issue where a content update caused the Panorama XML cache build to fail. This resulted references of the used objects on Panorama being removed, which caused commits on the managed firewalls to fail.
Fixed an issue where role-based administrators were unable to import certificate key pairs onto firewalls.
Fixed an issue where the firewall dropped GTPv2-x Create Session Response packets with the following error message:
bad port 84b.
Fixed an issue where, when initial flows from both directions reached the firewall at the same time, a race condition occurred, which caused the firewall to display the following error message:
Duplicate flows detected while inserting <number>, flow <number> with the same key. The flow keys were identical due to the flows having the same SRC and DST ports.
Fixed an issue where the Policy Optimizer for some device groups showed incorrect data with a
-character in the rule usage column.
Fixed an issue where MAC addresses containing certain characters in sequential order caused an issue with TCP connections
Fixed an issue where the number of items under
Add match criteriafor Dynamic Address Groups did not update after setting a search filter string.
Fixed an issue where the firewall changed the TTL (time-to-live) value in DNS responses to 0 when the firewall failed to resolve the DNS Security service, which caused a large amount of DNS requests to be sent to the DNS server.
Fixed an issue where user activity reports failed to run when the firewall was in FIPS mode.
Fixed an issue where, when an out-of-order stream of TCP packets was subjected to HTTP header insertion, the packets were duplicated.
Fixed an issue on firewalls with HA active/active configurations where GlobalProtect gateways timed out on-demand connections. This occurred because the
Inactivity Logouttimer did not reset.
Fixed an issue where an XML API call to display configuration logs truncated the
change-previewfield of the logs if the entry had more than 64 characters.
Fixed an issue where the dynamic address group learned in the parent dynamic group was not pushed to the child dynamic address group if the child dynamic address group was not configured with
notify groupsunder the respective plugin.
When using the CLI command
debug dau settings device-group recursive yes/no, clear previous dynamic address group entries from the Panorama database using the CLI command
debug dau clear database device-group <dynamic address group name>for all dynamic address groups under the hierarchy for the dynamic address group configured in the monitoring definition. Also, do a full sync from the plugins configured using the command
request plugins <plugin-name> sync.
Fixed a rare issue with HTTP/2 decryption that caused packet header bytes to be corrupted, which caused packet drops.
Fixed an issue with SMTP that occurred when attachment file names were longer than the allocated buffer. If the file name was longer than the buffer and Layer 7 inspection was enabled, the file was dropped, which caused session errors and an email to not be sent.
Fixed an issue on the firewall where GlobalProtect Clientless VPN portal landing page customization for the
navbar_bg_colorvariable did not take effect.
Fixed an issue where a Panorama virtual appliance was unable to manage more than 2,500 firewalls when 28 or more CPU cores were available.
Fixed an issue in a virtual wire deployment configured with
Link State Pass Throughenabled where, when one member port went down, the peer port took longer than expected to change the status to
Fixed an issue where firewalls stopped refreshing IP tag information when configured with the
VM Information Sourcesfeature with a VMWare vCenter Server.
Fixed an issue where, after a change in Security policies, traffic logs for inner GTP-U sessions did not show
IMEIfields following a commit.
Fixed an issue where, when an ECMP route changed, the flow table in the offload engine was not updated.
Fixed an issue where the
show gtp infoCLI command returned an error.
Fixed a buffer overflow issue on the management server, which forced the administrator to log out on the web interface.
Fixed an issue where the
clear log accCLI command did not remove URL summary logs.
Fixed an issue where the first SYN message of an FTP-DATA connection was dropped on non-session-owner appliances in an HA active/active configuration.
Fixed an issue where the decryption profile was configured without the
Block sessions with expired certificatesoption, but the firewall still blocked websites that were signed by an Expired AddTrust Root CA (certificate authority).
Fixed an issue where the firewall incorrectly created GTP-U sessions from Create Session Request and Create Session Response packets.
Fixed an issue where the last commit state did not change to
config sent to devicewhen pushing a device group configuration in the
Managed Device > Summarypage on Panorama.
Fixed an issue where the firewall management server crashed when a report with a duration of 7 or more days was run.
Fixed an issue where firewall buffers were depleted with GTP traffic due to the mishandling of conflicting sessions.
Fixed an issue where the firewall was unable to properly create stream control transmission protocol (SCTP) sessions for multi-homed environments when multiple endpoints on the same SCTP associations sent INIT/INIT-ACK chunks during handshakes.
Fixed an issue in a multi-vsys environment where the firewall dropped RTP predict sessions and was unable to match them to their parent sessions due to a zone change.
Fixed an issue where administrators were logged out of the web interface while making changes.
Fixed an issue where the
after-change-previewfilters were usable even though they did not return configuration logs.
Removed the fields
device nameon Panorama from the predefined filter used in
Fixed an issue where Cortex Data Lake traffic was identified as
Fixed an issue where logs were not forwarded to the syslog server with the following error message:
profile: Syslog (1) is duplicated.
Fixed an issue where authenticating to GlobalProtect via expired SAML requests (waiting more than 10 minutes) still sent authentication to the SAML server. This invalidated the previously connected gateway and connected users to the second best gateway.
Fixed an issue where the internal SQLite3 database was locked, which caused a process (useridd) to stop responding and group mapping retrieval to fail. This issue also caused the group mapping list to not display from the CLI.
Fixed an issue where the
Group foundflag was set to
NOon User-ID logs on the web interface, even when the user belonged to a group retrieved from the Active Directory (AD) server.
Fixed an issue where the firewall intermittently logged incorrect actions for WildFire submissions and reports.
Recommended For You
Recommended videos not found.