PAN-OS 9.1.9 Addressed Issues
Focus
Focus

PAN-OS 9.1.9 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 9.1.9 Addressed Issues

PAN-OS® 9.1.9 addressed issues.
Issue ID
Description
PAN-165194
Fixed an issue where multiple messages were exchanged between secondary and primary Data Plane Development Kit (DPDK) processes, which caused a process (brdagent) to stop responding.
PAN-164564
Fixed an issue where stats API attempted to get stats from an unavailable port.
PAN-163538
Fixed an issue on multi-dataplane platforms where traffic through Large Scale VPN (LSVPN) tunnels dropped with the error message tunnel resolution failure.
PAN-163164
Fixed an issue where the GlobalProtect client used IPv6 during gateway login but used IPv4 during IPsec tunnel creation, which caused it to fallback to SSL.
PAN-162746
Fixed an issue where DNS over TCP caused a process (dnsproxy) to run out of memory.
PAN-161745
Fixed an issue where the time-to-live (TTL) value received from the DNS server reset to 0 on DNS secure TCP transactions when anti-spyware profiles were used, which caused DNS dynamic updates to fail.
PAN-160782
Fixed an issue where the routed process stopped responding when the BGP peer sent AS_PATHs with more than 255 AS numbers in all of the segments combined. There can now be a maximum of 255 AS numbers in an AS_PATH list for a prefix.
PAN-160744
Fixed an issue where the negative time difference between the dataplane and the management plane during the client certificate info check prevented the GlobalProtect client from connecting to the GlobalProtect gateway with the following error message: Required client certificate not found.
PAN-160455
Certain invalid URL entries contained in an External Dynamic List (EDL) cause a process (devsrvr) to stop responding (CVE-2021-3048).
PAN-160434
Fixed an issue where firewalls stopped processing Layer-3-tagged traffic after Panorama pushed VLAN sub-interface configurations to the firewall with the commit_all operation.
PAN-159944
Fixed an issue where a process (dnsproxyd) stopped responding due to an error in the DNS cache operation.
PAN-159826
Fixed an issue where SSL VPN leaked when the default browser feature on GlobalProtect was not enabled.
PAN-159135
Fixed an issue where the firewall rejected SAML Assertions, which caused user authentication failure when the Validate Identity Provider Certificate was enabled in the SAML Server Profile in vsys3 or above.
PAN-158988
Fixed an issue with HTTP Header Insertion where the payload was truncated when processing a segmented TCP stream and when the client retransmitted the packet with the same sequence number that was previously received segmented.
PAN-158844
Adds additional debugging to be used in identifying the malformed references causing process crashes during FQDN refresh.
PAN-158774
Fixed an issue where random DNS queries dropped with the counter ctd_dns_wait_pkt_drop when DNS security was enabled.
PAN-158723
A fix was made to address an improper handling of exception conditions in the PAN-OS dataplane that enabled an unauthenticated network-based attacker to send specifically crafted traffic through the firewall that caused the service to crash (CVE-2021-3053).
PAN-158328
Fixed an issue where the firewall stopped populating the multicast FIB table with OIL entries for multicast groups.
PAN-158262
A buffer overflow vulnerability in the Telnet-based administrative management service included with PAN-OS software allows remote attackers to execute arbitrary code.
A fix was made to address a buffer overflow vulnerability in the Telnet-based administrative management service included with PAN-OS that allowed a remote attacker to execute arbitrary code (CVE-2020-10188).
PAN-158036
Fixed an issue on the firewall where custom application signatures based on PROPFIND http-method didn't trigger if webdav application ID was blocked by a Security policy.
To utilize this fix, you must install content version 8367-6513 or later.
PAN-157735
Fixed an issue where the new PA-7000100G network processing card (NPC) took 25 minutes to start after rebooting the PA-7080 chassis.
PAN-157721
Fixed an issue where the firewall dropped GPRS tunneling protocol (GTPv2) Create Session Requests and Responses that had IEs 201 and 202 with the error Abnormal GTPv2-C message with invalid IE.
PAN-157346
Fixed an issue where HIP custom checks for plist failed when the HIP exclusion category were configured under (Mobile User Template > Network > GlobalProtect > Portal<portal-config> > Agent<agent-config> > HIP Data Collection).
PAN-157271
Fixed an issue where Panorama > Cloud Services was visible to users with device group and template admin roles even if the admin role was disabled.
PAN-156896
(VM-Series firewalls only) Fixed an issue where the firewall frequently stopped responding with the following log: CONFIG_UPDATE_INC : Incremental update to DP failed please try to commit force the latest config.
PAN-156264
Fixed an issue where the firewall displayed IP address Netmask and default gateway as unknown on the web interface as well as the CLI.
PAN-156225
(PA-3200 Series firewalls only) Fixed an issue where the HA1-B port remained down after an upgrade from PAN-OS 9.1.4 to later 9.1 releases and from PAN-OS 10.0.0 to PAN-OS 10.0.4.
PAN-155656
Fixed an issue where multicast RTP traffic triggered unicast RTP Control Protocol (RTCP), and the predict session failed to install, which blocked the parent RTP session from forwarding packets.
PAN-155147
(VM-Series firewalls on Microsoft Azure that use accelerated networking interfaces with DPDK mode) Fixed an issue where hot plug notifications caused traffic disruption.
PAN-154557
Fixed an issue that caused a process (useridd) core dump when parsing the Subject Alternative Name from a client certificate sent in the HIP report.
PAN-154403
Fixed an issue with HIP matching logic for missing patches where previous behavior indicated missing patches when no patches were missing.
PAN-154376
Fixed an issue where a process (mgmtsrvr) stopped responding and was inaccessible through SSH or HTTPS until the firewall was power cycled.
PAN-154195
Fixed an issue where the firewall dropped VoIP traffic over IPSec with counters flow_predict_convert_rtp_drop and flow_predict_convert_failed.
PAN-153316
CLI commands were added to address an issue where virtual memory on a process (configd) exceeded the new 32G limit.
  • To disable the virtual memory limit, use debug software disable-virt-limit.
  • To enable the virtual memory limit, use debug software enable-virt-limit.
PAN-153286
Fixed an issue on Panorama deployed on Amazon Web Services (AWS) where the Log Collector disk was on Admin disabled state when changing the instance type from m4 to m5.
PAN-153213
Fixed a rare issue where TCP packets randomly dropped due to reassembly failure.
PAN-152497
Fixed an issue where the firewall was unable to create a new GTP-U session when it received Create Session Response messages, which caused the following error message to display in the GTP log: GTPv1 message failed stateful inspection.
PAN-152458
(VM-Series firewalls on Microsoft Hyper-V only) Fixed an issue where, when upgrading to PAN-OS 9.0.8 or later, ethernet packets dropped after adding VLAN tags during egress from a subinterface. To leverage this fix, set the interface level maximum transmission unit (MTU) to 1496 or less.
PAN-152003
Fixed an issue where an email client was unable to open an attached file due to removal of part of the file name encoded in UTF-8 by the firewall CTD function for SMTP and NAT sessions.
PAN-151395
Fixed an issue where the firewall repeatedly logged connection failures to a configured Log Collector.
PAN-150298
Fixed an issue where Android clients matched HIP objects configured for Apple products.
PAN-150097
Fixed an issue where hourly URL summary log generation failed.
PAN-150023
A fix was made to address an improper authentication vulnerability in PAN-OS that enabled a SAML authenticated attacker to impersonate any other user in the GlobalProtect portal and GlobalProtect gateway when they were configured to use SAML authentication (CVE-2021-3046).
PAN-149501
A fix was made to address a memory corruption vulnerability in the GlobalProtect Clientless VPN that enabled an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication (CVE-2021-3056).
PAN-147792
Fixed an issue where a process (configd) stopped responding due to a buffer overflow.
PAN-147783
Checks were added to help prevent the dataplane from restarting.
PAN-144538
Fixed an issue where locally disabling the rule hit-count feature on Panorama caused a memory leak.
PAN-144470
Fixed an issue where driver descriptor rings were out of sync in the control plane to dataplane direction, which caused internal path monitoring heartbeat failures.
PAN-142818
Fixed an issue where the management server restarted due to a telemetry buffer overflow that occurred when generated threat logs had specific signature flags set.
PAN-142621
Fixed an issue where the firewall was unable to log debug information in case of kernel panic.
PAN-142473
Fixed an issue where a commit failed with the following error message: Disk quotas add up to more than 100%. Invalid configuration. due to an integration issue.
PAN-136347
Fixed an issue wherer DNS proxy TCP connections were processed incorrectly, which caused a process (dnsproxy) to stop responding.
PAN-134799
Fixed an issue where packets of the same session were forwarded through a different member of an Aggregate Ethernet (AE) group once the session was offloaded.
PAN-120423
Support was added for XML API for GlobalProtect logs.
PAN-113795
Fixed an issue on a firewall configured with GlobalProtect Clientless VPN where a process (all_pkts) stopped responding, which caused the dataplane to restart.
PAN-110429
Fixed an issue with firewalls in a high availability configuration where multiple all_pktproc processes stopped responding due to missing heartbeats, which caused service outages.