PAN-OS 9.1.8 Addressed Issues

PAN-OS® 9.1.8 addressed issues.
Issue ID
Description
PAN-161121
Fixed an issue on the Panorama management server that caused invalid reference errors when attempting to delete an address object (
Objects > Addresses
) after removing the address object reference from an address group (
Objects > Address Groups
) resulting in you being unable commit and push the configuration to managed firewalls.
PAN-160376
Fixed an issue where, for local administrators using an authentication profile, the
save filter
(
Monitor > Logs
) option was grayed out.
PAN-158650
Fixed an issue where several operations and processes stopped responding due to a deadlock issue between the CLI thread and the Terminal Server (TS) agent message processing the thread.
PAN-158638
Fixed an issue where the firewall returned the following error message when attempting to request a device certificate using a one-time password (OTP):
invalid ocsp response sig-alg
.
PAN-158293
Fixed an issue where a sudden increase in packet buffer descriptors disrupted traffic.
PAN-158122
Fixed an issue where SNMP readings reported 0 for dataplane interface packet statistics when using PacketMMAP mode. This issue occurred because the physical port counters read from MAC addresses were reported as 0.
PAN-157786
Fixed an issue where the
Device > Setup
page was blank after downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release.
PAN-157319
(
PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only
) Fixed an issue where GlobalProtect logs showed the incorrect client version and did not show event ID information.
PAN-157168
Fixed an issue where a process (mprelay) stopped responding when displaying debug PDT commands
PAN-157049
(
PA-3200 Series firewalls only
) Fixed an issue where the firewall processed internal path monitoring packets more slowly than expected when processing large amounts of traffic, which caused the dataplane to restart.
PAN-156891
Fixed an issue where some zip files did not download and the following error message displayed:
resources-unavailable
.
PAN-156716
Fixed an issue where the firewall sent ARP replies without checking the ingress interface when the requested IP address was configured as a destination NAT (DNAT) address.
PAN-155665
Fixed an issue where, if an authentication profile was configured with an authorization type of
none
, users were inappropriately prompted for a password. Since the authentication type was set to
none
, any input was successful. This issue occurred when
Allow Authentication with User Credentials OR Client Certificate
was set to
no
.
PAN-155326
Fixed an issue where the BGP
AS Number
template variable was not referenceable from the web interface.
PAN-155294
Fixed an issue where iPad devices did not display Captive Portal multi-factor authentication (MFA) pages correctly when using Okta for push notifications.
PAN-155124
Fixed an issue where IP address-to-username mapping did not correctly sync to the secondary active firewall in an active/active HA configuration if a logout and a log in event occurred within the same second.
PAN-154899
Fixed an out-of-memory (OOM) issue on the firewalls that caused LACP, BGP, and OSPF to go down, resulting in the firewall not receiving LACPDU messages.
PAN-154844
Fixed an issue where commits and autocommits repeatedly failed due to an OOM condition that disrupted the processes pan_task and devsrvr.
PAN-154812
Fixed a memory leak issue related to a process (configd) that was caused by log queries filtering by address.
PAN-154591
Fixed an issue where NULL users in
panGlobalProtectGetConfig
were not checked for before calling strcmp().
PAN-154391
Fixed an issue where a Log Collector did not forward correlation logs to the syslog server over TCP.
PAN-154365
Fixed an issue where Security policy rules targeted by tags incorrectly displayed as deleted when previewing commit changes.
PAN-153814
Fixed an issue where the firewall displayed the URL Filtering Safe Search Block Page on the specific site only, even when the traffic was matched to a specific rule that did not have any URL filtering policies.
PAN-153705
Fixed an issue where packets were not evenly distributed among a process (pan_tasks), which caused latency and poor performance.
PAN-153631
Fixed an issue where the firewalls did not generate traffic logs for implicitly allowed applications.
PAN-153614
Fixed an issue where user-based policies did not correctly match if the same user was included in both a policy with the username in NetBIOS format and another policy with the username in FQDN format.
PAN-153294
Fixed an issue on the firewall where a GlobalProtect username authenticated via Kerberos was unnecessarily normalized to SAMAccountName format.
PAN-153261
Fixed an issue where not all fragmented packets were transmitted, which caused increased packet buffer usage.
PAN-152998
Fixed an issue where the User-ID process CPU usage remained high when a large number of Terminal Server (TS) agents were configured but only a few were connected.
PAN-152813
Fixed an issue with configuration memory leaks on Panorama that caused a process (configd) to restart.
PAN-152677
(
VM-Series firewalls on Azure only
) Fixed an issue where packet buffers showed high values when Data Plane Development Kit (DPDK) was enabled.
PAN-152648
Fixed an issue where multiple all_pktproc processes stopped responding, which caused the dataplane to restart.
PAN-152103
Fixed a memory leak issue where a process (dnsproxy) did not properly release memory after use.
PAN-151997
Fixed an issue where the option to sinkhole was not displayed in the ACC filter drop-down (
ACC > Threat Activity > Global filters > Action
).
PAN-151888
Fixed an issue where remote users were able to save log filters, which created a local user with the same username. With this fix, remote users cannot save a log filter.
PAN-151808
Fixed an issue where an EDL refresh job did not complete when the configuration for EDL servers used certificate profiles, due to the large server certificates.
PAN-151803
Fixed an issue on Panorama where commits failed when using
device-id
as a template variable.
PAN-151503
Fixed an intermittent issue where memory was not fully freed after a Panorama commitAll completion on the firewall.
PAN-151218
(
PA-3200 Series firewalls only
) Fixed an issue where the
crashinfo
file was not generated after a process (all_pktproc) stopped responding on the dataplane before path monitoring triggered a device reboot.
PAN-150867
An enhancement was made to enable additional logging during kernel panic/oops that helps identify the cause.
PAN-150798
(
PA-7000 Series firewalls only
) Fixed an issue where Network Processing Cards (NPC) took longer than expected or failed to boot.
PAN-150534
Fixed an issue where authentication logs with the subtype SAML were not forwarded to the syslog server.
PAN-150467
Fixed a memory leak issue with a unified query that caused a process (mprelay) to restart due to an OOM condition.
PAN-150085
Fixed an issue where a process (configd) stopped responding which caused context switches to slow.
PAN-150008
Fixed an issue on the firewall where configuring auto-tagging based on URL filtering logs resulted in tags being added to source IP addresses and not matching the log forwarding filter match criteria.
PAN-149283
Fixed an issue where editing device log forwarding in the collector group then filtering specific firewalls and adding new firewalls caused the old firewalls to disappear from the log forwarding preferences list.
PAN-148800
Fixed an issue where the firewall used port 1080 to reach dns.service.paloaltonetworks.com when web-proxy was configured.
PAN-148549
Fixed an issue where newly created interface management profiles were unable to be linked to subinterfaces.
PAN-148359
Fixed an issue where SD-WAN server-to-client symmetric return did not function correctly in certain circumstances. This issue intermittently affected path selection of parent/child applications, such as FTP.
PAN-147221
Improved QoS scheduling for Bidirectional Forwarding Detection (BFD) and BGP to address the internal handling of BGP and BFD packets under high resource constraints
PAN-145733
Fixed an issue where the
SNMP INDEX
for
panZoneTable
on the
PAN-COMMON-MIB.my
file did not work as expected, which led to entries in
panZoneTable
not being uniquely identified.
PAN-145417
Debug commands were added to address an issue where the firewall connect to Cortex Data Lake due to the Online Certificate Status Protocol (OSCP) message missing the
nextUpdate
value in the OSCP response.
PAN-144975
Fixed an intermittent issue where a high traffic load in a Layer 2 deployment caused SNMP and Panorama health monitoring failures.
PAN-144887
(
Panorama virtual appliances in high availability (HA) configurations with VMware NSX plugin only
) Fixed an issue where dynamic address group updates and configuration pushes failed when new plugins were installed or uninstalled, or when a process (configd) was restarted or reinitialized.
PAN-144594
Fixed an issue where web pages failed to launch over clientless VPN when cookies had the expiry value set to 0 in the packet.
PAN-143485
Fixed a memory leak issue related to a process (devsrvr).
PAN-141813
Fixed an issue where multiple daemons restarted due to a management plane ARP overflow.
PAN-140093
(
PA-220 firewalls only
) Fixed an issue where the master key was unable to be changed.
PAN-137205
Fixed an issue where
Review Policies
did not show all related policies.
PAN-136478
(
PA-7000 Series firewalls
) where syslog forwarding over TCP did not work in a multi-vsys environment.
PAN-136073
Fixed an issue where the High Speed Chassis Interconnect (HSCI) port flapped continuously after an upgrade or reboot.
PAN-134461
Fixed an issue where an admin user authenticated to Panorama with RADIUS and assigned a Device Group and Template Admin role using access domains was unable to add a managed firewall to Panorama and received the following error message:
Import failed user <username> does not exist
.
PAN-133886
Fixed an issue where GlobalProtect users were unable to connect to mobile gateways when download of a large CRL failed due to timeouts that resulted in CRL check failures.
PAN-133863
Fixed an issue where the Panorama Virtual Appliance in Log Collector mode went into maintenance mode due to a process (reportd) not responding.
PAN-132035
Fixed an issue on Panorama appliances in an active/passive high availability configuration where a managed firewall generated high priority alerts that it failed to connect to the passive Panorama appliance's User-ID agent server. This issue occurred because the firewall was only able to connect to one Panorama User-ID server at a time, and it connected only to the active Panorama appliance's User-ID server.
PAN-131462
Fixed an issue where the title page of PDF reports did not show the entire Palo Alto Networks logo.
PAN-129927
(
VM-Series firewalls only
) Fixed an issue where firewalls with Layer 3 subinterfaces reset Class of Service (CoS) bits in 802.1q.
PAN-120013
Fixed an issue where secure communication settings were incorrectly synchronized between Panorama appliances in an HA configuration.
PAN-115494
Fixed an issue where the
/opt/pancfg/ partition
became full due to a configuration preview operation not responding.
PAN-114351
Fixed an issue where SSL decryption slowed traffic with the TCP timestamp option enabled.
PAN-113386
Fixed an issue where an address object with a tag that contained a space character inside quotation marks was not properly processed and assigned to the appropriate Dynamic Address Group.
PAN-110962
Fixed an issue where a process (
all_pktproc
) stopped responding when SSH decryption was enabled, which caused the dataplane to restart.
PAN-100693
Fixed an issue where you were unable to process Address Group match criteria when the match name included the double quotation ( " ) character.

Recommended For You