PAN-OS 9.1.7 Addressed Issues

PAN-OS® 9.1.7 addressed issues.
Issue ID
Description
PAN-158691
Fixed an issue with GPRS tunneling protocol (GTP) event packet capture (pcap) where enabling
Packet Capture
did not work.
PAN-156375
Fixed an issue where multiple all_pktoproc daemons restarted while processing HTTP/2 traffic in sw_offload.
PAN-156017
Fixed an issue where a host information profile (HIP) report XML buffer caused a memory leak.
PAN-155517
Fixed an issue where a sudden increase in URL-cloud data challenged the cache capacity of the device.
PAN-155453
Fixed an issue in the configuration logs where the destination zone was masked by asterisks.
PAN-155053
Fixed an issue where user information in the Clientless VPN wasn't handled properly in high availability (HA) configurations, which resulted in the firewall being unable to create more user sessions.
PAN-154323
Fixed an issue in Panorama where frequent API requests caused the Panorama web interface to become unresponsive. This issue occurred because the web interface automatically refreshed after each request.
PAN-154016
Fixed an issue where auto-commits failed for VM-Series firewalls bootstrapped with new content installation during bootstrap. The firewalls displayed the following error message:
Details:Error: Undefined application <application-name>
.
PAN-153791
Fixed an issue in dpdk code that cause a system restart on a process (brdagent).
PAN-153526
(
PA-7000 Series firewalls with 100G NPC (Network Processing Cards) only
) Fixed an issue where multicast groups were not set correctly, which caused ARP entries to display as
incomplete
and not update to correct values.
PAN-153207
Fixed an issue for VM-Series firewalls deployed on Azure where a process (pan_comm) restarted if DPDK was on.
PAN-153174
Fixed an issue where using XML API to download pcap did not work if the pcap file was larger than 8MB.
PAN-153107
Fixed an issue where a dataplane process stopped responding while processing fragmented traffic on GTP-U tunnels.
PAN-152912
Fixed an issue where a content update caused the Panorama XML cache build to fail. This resulted references of the used objects on Panorama being removed, which caused commits on the managed firewalls to fail.
PAN-152762
Fixed an issue where role-based administrators were unable to import certificate key pairs onto firewalls.
PAN-152746
Fixed an issue where the firewall dropped GTPv2-x Create Session Response packets with the following error message:
bad port 84b
.
PAN-152743
Fixed an issue where, when initial flows from both directions reached the firewall at the same time, a race condition occurred, which caused the firewall to display the following error message:
Duplicate flows detected while inserting <number>, flow <number> with the same key
. The flow keys were identical due to the flows having the same SRC and DST ports.
PAN-152098
Fixed an issue where the Policy Optimizer for some device groups showed incorrect data with a
-
character in the rule usage column.
PAN-151872
Fixed an issue where MAC addresses containing certain characters in sequential order caused an issue with TCP connections
PAN-151691
Fixed an issue where the number of items under
Add match criteria
for Dynamic Address Groups did not update after setting a search filter string.
PAN-151584
Fixed an issue where the firewall changed the TTL (time-to-live) value in DNS responses to 0 when the firewall failed to resolve the DNS Security service, which caused a large amount of DNS requests to be sent to the DNS server.
PAN-151486
Fixed an issue where user activity reports failed to run when the firewall was in FIPS mode.
PAN-151483
Fixed an issue where, when an out-of-order stream of TCP packets was subjected to HTTP header insertion, the packets were duplicated.
PAN-151458
Fixed an issue on firewalls with HA active/active configurations where GlobalProtect gateways timed out on-demand connections. This occurred because the
Inactivity Logout
timer did not reset.
PAN-151214
Fixed an issue where an XML API call to display configuration logs truncated the
change-preview
field of the logs if the entry had more than 64 characters.
PAN-151210
Fixed an issue where the dynamic address group learned in the parent dynamic group was not pushed to the child dynamic address group if the child dynamic address group was not configured with
notify groups
under the respective plugin.
When using the CLI command
debug dau settings device-group recursive yes/no
, clear previous dynamic address group entries from the Panorama database using the CLI command
debug dau clear database device-group <dynamic address group name>
for all dynamic address groups under the hierarchy for the dynamic address group configured in the monitoring definition. Also, do a full sync from the plugins configured using the command
request plugins <plugin-name> sync
.
PAN-150968
Fixed a rare issue with HTTP/2 decryption that caused packet header bytes to be corrupted, which caused packet drops.
PAN-150852
Fixed an issue with SMTP that occurred when attachment file names were longer than the allocated buffer. If the file name was longer than the buffer and Layer 7 inspection was enabled, the file was dropped, which caused session errors and an email to not be sent.
PAN-150247
Fixed an issue on the firewall where GlobalProtect Clientless VPN portal landing page customization for the
navbar_bg_color
variable did not take effect.
PAN-149915
Fixed an issue where a Panorama virtual appliance was unable to manage more than 2,500 firewalls when 28 or more CPU cores were available.
PAN-149645
Fixed an issue in a virtual wire deployment configured with
Link State Pass Through
enabled where, when one member port went down, the peer port took longer than expected to change the status to
Down
.
PAN-149641
Fixed an issue where firewalls stopped refreshing IP tag information when configured with the
VM Information Sources
feature with a VMWare vCenter Server.
PAN-149547
Fixed an issue where, after a change in Security policies, traffic logs for inner GTP-U sessions did not show
IMSI
or
IMEI
fields following a commit.
PAN-149339
Fixed an issue where, when an ECMP route changed, the flow table in the offload engine was not updated.
PAN-149327
Fixed an issue where the
show gtp info
CLI command returned an error.
PAN-149297
Fixed a buffer overflow issue on the management server, which forced the administrator to log out on the web interface.
PAN-149207
Fixed an issue where the
clear log acc
CLI command did not remove URL summary logs.
PAN-149101
Fixed an issue where the first SYN message of an FTP-DATA connection was dropped on non-session-owner appliances in an HA active/active configuration.
PAN-148818
Fixed an issue where the decryption profile was configured without the
Block sessions with expired certificates
option, but the firewall still blocked websites that were signed by an Expired AddTrust Root CA (certificate authority).
PAN-148767
Fixed an issue where the firewall incorrectly created GTP-U sessions from Create Session Request and Create Session Response packets.
PAN-147959
Fixed an issue where the last commit state did not change to
config sent to device
when pushing a device group configuration in the
Managed Device > Summary
page on Panorama.
PAN-147720
Fixed an issue where the firewall management server crashed when a report with a duration of 7 or more days was run.
PAN-147385
Fixed an issue where firewall buffers were depleted with GTP traffic due to the mishandling of conflicting sessions.
PAN-146373
(
VM-Series firewalls only
) Fixed an issue where a memory leak occurred on a process (vm_agent) due to host synchronization check.
PAN-146236
Fixed an issue where the firewall was unable to properly create stream control transmission protocol (SCTP) sessions for multi-homed environments when multiple endpoints on the same SCTP associations sent INIT/INIT-ACK chunks during handshakes.
PAN-144376
Fixed an issue in a multi-vsys environment where the firewall dropped RTP predict sessions and was unable to match them to their parent sessions due to a zone change.
PAN-142604
Fixed an issue where virtual memory of a process (configd) continuously increased until it stopped responding.
PAN-142548
Fixed an memory leak issue in a process (configd) that caused the firewall to be inaccessible.
PAN-142103
Fixed an issue where administrators were logged out of the web interface while making changes.
PAN-141719
Fixed an issue where the
before-change-preview
and
after-change-preview
filters were usable even though they did not return configuration logs.
PAN-141255
Removed the fields
device SN
and
device name
on Panorama from the predefined filter used in
Log Forwarding
and
Log Settings
.
PAN-140985
Fixed an issue where Cortex Data Lake traffic was identified as
ssl
instead of
paloalto-logging-service
.
PAN-140222
Fixed an issue where logs were not forwarded to the syslog server with the following error message:
profile: Syslog (1) is duplicated
.
PAN-137233
Fixed an issue where authenticating to GlobalProtect via expired SAML requests (waiting more than 10 minutes) still sent authentication to the SAML server. This invalidated the previously connected gateway and connected users to the second best gateway.
PAN-129314
Fixed an issue where the internal SQLite3 database was locked, which caused a process (useridd) to stop responding and group mapping retrieval to fail. This issue also caused the group mapping list to not display from the CLI.
PAN-124579
Fixed an issue where a process (all_task_3) restarted, which caused the tunnels to reset.
PAN-119161
(
PA-7000 Series firewalls only
) Fixed an issue where firewalls were unable to start up a Network Processing Card (NCP) due to a process (brdagent) restarting repeatedly.
PAN-110720
Fixed an issue where a high volume of traffic over SSL VPN caused a process (all_pktproc) to unexpectedly stop responding.
PAN-100489
Fixed an issue where the
Group found
flag was set to
NO
on User-ID logs on the web interface, even when the user belonged to a group retrieved from the Active Directory (AD) server.
PAN-79640
Fixed an issue where the firewall intermittently logged incorrect actions for WildFire submissions and reports.

Recommended For You