PAN-OS 9.1.8 Addressed Issues

PAN-OS® 9.1.8 addressed issues.
Issue ID
Fixed an issue on the Panorama management server that caused invalid reference errors when attempting to delete an address object (
Objects > Addresses
) after removing the address object reference from an address group (
Objects > Address Groups
) resulting in you being unable commit and push the configuration to managed firewalls.
Fixed an issue where, for local administrators using an authentication profile, the
save filter
Monitor > Logs
) option was grayed out.
Fixed an issue where several operations and processes stopped responding due to a deadlock issue between the CLI thread and the Terminal Server (TS) agent message processing the thread.
Fixed an issue where the firewall returned the following error message when attempting to request a device certificate using a one-time password (OTP):
invalid ocsp response sig-alg
Fixed an issue where a sudden increase in packet buffer descriptors disrupted traffic.
Fixed an issue where SNMP readings reported 0 for dataplane interface packet statistics when using PacketMMAP mode. This issue occurred because the physical port counters read from MAC addresses were reported as 0.
Fixed an issue where the
Device > Setup
page was blank after downgrading from a PAN-OS 10.0 release to a PAN-OS 9.1 release.
PA-7000 Series firewalls with Log Forwarding Cards (LFCs) only
) Fixed an issue where GlobalProtect logs showed the incorrect client version and did not show event ID information.
Fixed an issue where a process (mprelay) stopped responding when displaying debug PDT commands
PA-3200 Series firewalls only
) Fixed an issue where the firewall processed internal path monitoring packets more slowly than expected when processing large amounts of traffic, which caused the dataplane to restart.
Fixed an issue where some zip files did not download and the following error message displayed:
Fixed an issue where the firewall sent ARP replies without checking the ingress interface when the requested IP address was configured as a destination NAT (DNAT) address.
Fixed an issue where, if an authentication profile was configured with an authorization type of
, users were inappropriately prompted for a password. Since the authentication type was set to
, any input was successful. This issue occurred when
Allow Authentication with User Credentials OR Client Certificate
was set to
Fixed an issue where the BGP
AS Number
template variable was not referenceable from the web interface.
Fixed an issue where iPad devices did not display Captive Portal multi-factor authentication (MFA) pages correctly when using Okta for push notifications.
Fixed an issue where IP address-to-username mapping did not correctly sync to the secondary active firewall in an active/active HA configuration if a logout and a log in event occurred within the same second.
Fixed an out-of-memory (OOM) issue on the firewalls that caused LACP, BGP, and OSPF to go down, resulting in the firewall not receiving LACPDU messages.
Fixed an issue where commits and autocommits repeatedly failed due to an OOM condition that disrupted the processes pan_task and devsrvr.
Fixed a memory leak issue related to a process (configd) that was caused by log queries filtering by address.
Fixed an issue where NULL users in
were not checked for before calling strcmp().
Fixed an issue where a Log Collector did not forward correlation logs to the syslog server over TCP.
Fixed an issue where Security policy rules targeted by tags incorrectly displayed as deleted when previewing commit changes.
Fixed an issue where the firewall displayed the URL Filtering Safe Search Block Page on the specific site only, even when the traffic was matched to a specific rule that did not have any URL filtering policies.
Fixed an issue where packets were not evenly distributed among a process (pan_tasks), which caused latency and poor performance.
Fixed an issue where the firewalls did not generate traffic logs for implicitly allowed applications.
Fixed an issue where user-based policies did not correctly match if the same user was included in both a policy with the username in NetBIOS format and another policy with the username in FQDN format.
Fixed an issue on the firewall where a GlobalProtect username authenticated via Kerberos was unnecessarily normalized to SAMAccountName format.
Fixed an issue where not all fragmented packets were transmitted, which caused increased packet buffer usage.
Fixed an issue where the User-ID process CPU usage remained high when a large number of Terminal Server (TS) agents were configured but only a few were connected.
Fixed an issue with configuration memory leaks on Panorama that caused a process (configd) to restart.
VM-Series firewalls on Azure only
) Fixed an issue where packet buffers showed high values when Data Plane Development Kit (DPDK) was enabled.
Fixed an issue where multiple all_pktproc processes stopped responding, which caused the dataplane to restart.
Fixed a memory leak issue where a process (dnsproxy) did not properly release memory after use.
Fixed an issue where the option to sinkhole was not displayed in the ACC filter drop-down (
ACC > Threat Activity > Global filters > Action
Fixed an issue where remote users were able to save log filters, which created a local user with the same username. With this fix, remote users cannot save a log filter.
Fixed an issue where an EDL refresh job did not complete when the configuration for EDL servers used certificate profiles, due to the large server certificates.
Fixed an issue on Panorama where commits failed when using
as a template variable.
Fixed an intermittent issue where memory was not fully freed after a Panorama commitAll completion on the firewall.
PA-3200 Series firewalls only
) Fixed an issue where the
file was not generated after a process (all_pktproc) stopped responding on the dataplane before path monitoring triggered a device reboot.
An enhancement was made to enable additional logging during kernel panic/oops that helps identify the cause.
PA-7000 Series firewalls only
) Fixed an issue where Network Processing Cards (NPC) took longer than expected or failed to boot.
Fixed an issue where authentication logs with the subtype SAML were not forwarded to the syslog server.
Fixed a memory leak issue with a unified query that caused a process (mprelay) to restart due to an OOM condition.
Fixed an issue where a process (configd) stopped responding which caused context switches to slow.
Fixed an issue on the firewall where configuring auto-tagging based on URL filtering logs resulted in tags being added to source IP addresses and not matching the log forwarding filter match criteria.
Fixed an issue where editing device log forwarding in the collector group then filtering specific firewalls and adding new firewalls caused the old firewalls to disappear from the log forwarding preferences list.
Fixed an issue where the firewall used port 1080 to reach when web-proxy was configured.
Fixed an issue where newly created interface management profiles were unable to be linked to subinterfaces.
Fixed an issue where SD-WAN server-to-client symmetric return did not function correctly in certain circumstances. This issue intermittently affected path selection of parent/child applications, such as FTP.
Improved QoS scheduling for Bidirectional Forwarding Detection (BFD) and BGP to address the internal handling of BGP and BFD packets under high resource constraints
Fixed an issue where the
on the
file did not work as expected, which led to entries in
not being uniquely identified.
Debug commands were added to address an issue where the firewall connect to Cortex Data Lake due to the Online Certificate Status Protocol (OSCP) message missing the
value in the OSCP response.
Fixed an intermittent issue where a high traffic load in a Layer 2 deployment caused SNMP and Panorama health monitoring failures.
Panorama virtual appliances in high availability (HA) configurations with VMware NSX plugin only
) Fixed an issue where dynamic address group updates and configuration pushes failed when new plugins were installed or uninstalled, or when a process (configd) was restarted or reinitialized.
Fixed an issue where web pages failed to launch over clientless VPN when cookies had the expiry value set to 0 in the packet.
Fixed a memory leak issue related to a process (devsrvr).
Fixed an issue where multiple daemons restarted due to a management plane ARP overflow.
PA-220 firewalls only
) Fixed an issue where the master key was unable to be changed.
Fixed an issue where
Review Policies
did not show all related policies.
PA-7000 Series firewalls
) where syslog forwarding over TCP did not work in a multi-vsys environment.
Fixed an issue where the High Speed Chassis Interconnect (HSCI) port flapped continuously after an upgrade or reboot.
Fixed an issue where an admin user authenticated to Panorama with RADIUS and assigned a Device Group and Template Admin role using access domains was unable to add a managed firewall to Panorama and received the following error message:
Import failed user <username> does not exist
Fixed an issue where GlobalProtect users were unable to connect to mobile gateways when download of a large CRL failed due to timeouts that resulted in CRL check failures.
Fixed an issue where the Panorama Virtual Appliance in Log Collector mode went into maintenance mode due to a process (reportd) not responding.
Fixed an issue on Panorama appliances in an active/passive high availability configuration where a managed firewall generated high priority alerts that it failed to connect to the passive Panorama appliance's User-ID agent server. This issue occurred because the firewall was only able to connect to one Panorama User-ID server at a time, and it connected only to the active Panorama appliance's User-ID server.
Fixed an issue where the title page of PDF reports did not show the entire Palo Alto Networks logo.
VM-Series firewalls only
) Fixed an issue where firewalls with Layer 3 subinterfaces reset Class of Service (CoS) bits in 802.1q.
Fixed an issue where secure communication settings were incorrectly synchronized between Panorama appliances in an HA configuration.
Fixed an issue where the
/opt/pancfg/ partition
became full due to a configuration preview operation not responding.
Fixed an issue where SSL decryption slowed traffic with the TCP timestamp option enabled.
Fixed an issue where an address object with a tag that contained a space character inside quotation marks was not properly processed and assigned to the appropriate Dynamic Address Group.
Fixed an issue where a process (
) stopped responding when SSH decryption was enabled, which caused the dataplane to restart.
Fixed an issue where you were unable to process Address Group match criteria when the match name included the double quotation ( " ) character.

Recommended For You