PAN-OS 9.1.9 Addressed Issues

PAN-OS® 9.1.9 addressed issues.
Issue ID
Fixed an issue where multiple messages were exchanged between secondary and primary Data Plane Development Kit (DPDK) processes, which caused a process (brdagent) to stop responding.
Fixed an issue where stats API attempted to get stats from an unavailable port.
Fixed an issue on multi-dataplane platforms where traffic through Large Scale VPN (LSVPN) tunnels dropped with the error message
tunnel resolution failure
Fixed an issue where the GlobalProtect client used IPv6 during gateway login but used IPv4 during IPsec tunnel creation, which caused it to fallback to SSL.
Fixed an issue where DNS over TCP caused a process (dnsproxy) to run out of memory.
Fixed an issue where the time-to-live (TTL) value received from the DNS server reset to 0 on DNS secure TCP transactions when anti-spyware profiles were used, which caused DNS dynamic updates to fail.
Fixed an issue where the routed process stopped responding when the BGP peer sent AS_PATHs with more than 255 AS numbers in all of the segments combined. There can now be a maximum of 255 AS numbers in an AS_PATH list for a prefix.
Fixed an issue where the negative time difference between the dataplane and the management plane during the client certificate info check prevented the GlobalProtect client from connecting to the GlobalProtect gateway with the following error message:
Required client certificate not found
Certain invalid URL entries contained in an External Dynamic List (EDL) cause a process (devsrvr) to stop responding (CVE-2021-3048).
Fixed an issue where firewalls stopped processing Layer-3-tagged traffic after Panorama pushed VLAN sub-interface configurations to the firewall with the
Fixed an issue where a process (dnsproxyd) stopped responding due to an error in the DNS cache operation.
Fixed an issue where SSL VPN leaked when the default browser feature on GlobalProtect was not enabled.
Fixed an issue where the firewall rejected SAML Assertions, which caused user authentication failure when the
Validate Identity Provider Certificate
was enabled in the SAML Server Profile in vsys3 or above.
Fixed an issue with HTTP Header Insertion where the payload was truncated when processing a segmented TCP stream and when the client retransmitted the packet with the same sequence number that was previously received segmented.
Adds additional debugging to be used in identifying the malformed references causing process crashes during FQDN refresh.
Fixed an issue where random DNS queries dropped with the counter
when DNS security was enabled.
A fix was made to address an improper handling of exception conditions in the PAN-OS dataplane that enabled an unauthenticated network-based attacker to send specifically crafted traffic through the firewall that caused the service to crash (CVE-2021-3053).
Fixed an issue where the firewall stopped populating the multicast FIB table with OIL entries for multicast groups.
A buffer overflow vulnerability in the Telnet-based administrative management service included with PAN-OS software allows remote attackers to execute arbitrary code.
A fix was made to address a buffer overflow vulnerability in the Telnet-based administrative management service included with PAN-OS that allowed a remote attacker to execute arbitrary code (CVE-2020-10188).
Fixed an issue on the firewall where custom application signatures based on PROPFIND http-method didn't trigger if
application ID was blocked by a Security policy.
To utilize this fix, you must install content version 8367-6513 or later.
Fixed an issue where the new PA-7000100G network processing card (NPC) took 25 minutes to start after rebooting the PA-7080 chassis.
Fixed an issue where the firewall dropped GPRS tunneling protocol (GTPv2) Create Session Requests and Responses that had IEs 201 and 202 with the error
Abnormal GTPv2-C message with invalid IE
Fixed an issue where HIP custom checks for plist failed when the HIP exclusion category were configured under (
Mobile User Template > Network > GlobalProtect > Portal<portal-config> > Agent<agent-config> > HIP Data Collection
Fixed an issue where
Panorama > Cloud Services
was visible to users with device group and template admin roles even if the admin role was disabled.
VM-Series firewalls only
) Fixed an issue where the firewall frequently stopped responding with the following log:
CONFIG_UPDATE_INC : Incremental update to DP failed please try to commit force the latest config
Fixed an issue where the firewall displayed
IP address
default gateway
on the web interface as well as the CLI.
PA-3200 Series firewalls only
) Fixed an issue where the HA1-B port remained down after an upgrade from PAN-OS 9.1.4 to later 9.1 releases and from PAN-OS 10.0.0 to PAN-OS 10.0.4.
Fixed an issue where multicast RTP traffic triggered unicast RTP Control Protocol (RTCP), and the predict session failed to install, which blocked the parent RTP session from forwarding packets.
VM-Series firewalls on Microsoft Azure that use accelerated networking interfaces with DPDK mode
) Fixed an issue where hot plug notifications caused traffic disruption.
Fixed an issue that caused a process (useridd) core dump when parsing the Subject Alternative Name from a client certificate sent in the HIP report.
Fixed an issue with HIP matching logic for missing patches where previous behavior indicated missing patches when no patches were missing.
Fixed an issue where a process (mgmtsrvr) stopped responding and was inaccessible through SSH or HTTPS until the firewall was power cycled.
Fixed an issue where the firewall dropped VoIP traffic over IPSec with counters
CLI commands were added to address an issue where virtual memory on a process (configd) exceeded the new 32G limit.
  • To disable the virtual memory limit, use
    debug software disable-virt-limit
  • To enable the virtual memory limit, use
    debug software enable-virt-limit
Fixed an issue on Panorama deployed on Amazon Web Services (AWS) where the Log Collector disk was on Admin disabled state when changing the instance type from m4 to m5.
Fixed a rare issue where TCP packets randomly dropped due to reassembly failure.
Fixed an issue where the firewall was unable to create a new GTP-U session when it received Create Session Response messages, which caused the following error message to display in the GTP log:
GTPv1 message failed stateful inspection
VM-Series firewalls on Microsoft Hyper-V only
) Fixed an issue where, when upgrading to PAN-OS 9.0.8 or later, ethernet packets dropped after adding VLAN tags during egress from a subinterface. To leverage this fix, set the interface level maximum transmission unit (MTU) to 1496 or less.
Fixed an issue where an email client was unable to open an attached file due to removal of part of the file name encoded in UTF-8 by the firewall CTD function for SMTP and NAT sessions.
Fixed an issue where the firewall repeatedly logged connection failures to a configured Log Collector.
Fixed an issue where Android clients matched HIP objects configured for Apple products.
Fixed an issue where hourly URL summary log generation failed.
A fix was made to address an improper authentication vulnerability in PAN-OS that enabled a SAML authenticated attacker to impersonate any other user in the GlobalProtect portal and GlobalProtect gateway when they were configured to use SAML authentication (CVE-2021-3046).
A fix was made to address a memory corruption vulnerability in the GlobalProtect Clientless VPN that enabled an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication (CVE-2021-3056).
Fixed an issue where a process (configd) stopped responding due to a buffer overflow.
Checks were added to help prevent the dataplane from restarting.
Fixed an issue where locally disabling the rule hit-count feature on Panorama caused a memory leak.
Fixed an issue where driver descriptor rings were out of sync in the control plane to dataplane direction, which caused internal path monitoring heartbeat failures.
Fixed an issue where the management server restarted due to a telemetry buffer overflow that occurred when generated threat logs had specific signature flags set.
Fixed an issue where the firewall was unable to log debug information in case of kernel panic.
Fixed an issue where a commit failed with the following error message:
Disk quotas add up to more than 100%. Invalid configuration.
due to an integration issue.
Fixed an issue wherer DNS proxy TCP connections were processed incorrectly, which caused a process (
) to stop responding.
Fixed an issue where packets of the same session were forwarded through a different member of an Aggregate Ethernet (AE) group once the session was offloaded.
Support was added for XML API for GlobalProtect logs.
Fixed an issue on a firewall configured with GlobalProtect Clientless VPN where a process (
) stopped responding, which caused the dataplane to restart.
Fixed an issue with firewalls in a high availability configuration where multiple all_pktproc processes stopped responding due to missing heartbeats, which caused service outages.

Recommended For You