>
    PAN-OS 9.1.9 Addressed Issues
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS 9.1 Addressed Issues
    4. PAN-OS 9.1.9 Addressed Issues
    Download PDF

    PAN-OS 9.1.9 Addressed Issues

    Table of Contents

    PAN-OS 9.1.9 Addressed Issues

    PAN-OS® 9.1.9 addressed issues.
    Issue ID
    Description
    PAN-165194
    Fixed an issue where multiple messages were exchanged between secondary and primary Data Plane Development Kit (DPDK) processes, which caused a process (brdagent) to stop responding.
    PAN-164564
    Fixed an issue where stats API attempted to get stats from an unavailable port.
    PAN-163538
    Fixed an issue on multi-dataplane platforms where traffic through Large Scale VPN (LSVPN) tunnels dropped with the error message
    tunnel resolution failure
    .
    PAN-163164
    Fixed an issue where the GlobalProtect client used IPv6 during gateway login but used IPv4 during IPsec tunnel creation, which caused it to fallback to SSL.
    PAN-162746
    Fixed an issue where DNS over TCP caused a process (dnsproxy) to run out of memory.
    PAN-161745
    Fixed an issue where the time-to-live (TTL) value received from the DNS server reset to 0 on DNS secure TCP transactions when anti-spyware profiles were used, which caused DNS dynamic updates to fail.
    PAN-160782
    Fixed an issue where the routed process stopped responding when the BGP peer sent AS_PATHs with more than 255 AS numbers in all of the segments combined. There can now be a maximum of 255 AS numbers in an AS_PATH list for a prefix.
    PAN-160744
    Fixed an issue where the negative time difference between the dataplane and the management plane during the client certificate info check prevented the GlobalProtect client from connecting to the GlobalProtect gateway with the following error message:
    Required client certificate not found
    .
    PAN-160455
    Certain invalid URL entries contained in an External Dynamic List (EDL) cause a process (devsrvr) to stop responding (CVE-2021-3048).
    PAN-160434
    Fixed an issue where firewalls stopped processing Layer-3-tagged traffic after Panorama pushed VLAN sub-interface configurations to the firewall with the
    commit_all
     operation.
    PAN-159944
    Fixed an issue where a process (dnsproxyd) stopped responding due to an error in the DNS cache operation.
    PAN-159826
    Fixed an issue where SSL VPN leaked when the default browser feature on GlobalProtect was not enabled.
    PAN-159135
    Fixed an issue where the firewall rejected SAML Assertions, which caused user authentication failure when the
    Validate Identity Provider Certificate
     was enabled in the SAML Server Profile in vsys3 or above.
    PAN-158988
    Fixed an issue with HTTP Header Insertion where the payload was truncated when processing a segmented TCP stream and when the client retransmitted the packet with the same sequence number that was previously received segmented.
    PAN-158844
    Adds additional debugging to be used in identifying the malformed references causing process crashes during FQDN refresh.
    PAN-158774
    Fixed an issue where random DNS queries dropped with the counter
    ctd_dns_wait_pkt_drop
     when DNS security was enabled.
    PAN-158723
    A fix was made to address an improper handling of exception conditions in the PAN-OS dataplane that enabled an unauthenticated network-based attacker to send specifically crafted traffic through the firewall that caused the service to crash (CVE-2021-3053).
    PAN-158328
    Fixed an issue where the firewall stopped populating the multicast FIB table with OIL entries for multicast groups.
    PAN-158262
    A buffer overflow vulnerability in the Telnet-based administrative management service included with PAN-OS software allows remote attackers to execute arbitrary code.
    A fix was made to address a buffer overflow vulnerability in the Telnet-based administrative management service included with PAN-OS that allowed a remote attacker to execute arbitrary code (CVE-2020-10188).
    PAN-158036
    Fixed an issue on the firewall where custom application signatures based on PROPFIND http-method didn't trigger if
    webdav
     application ID was blocked by a Security policy.
    To utilize this fix, you must install content version 8367-6513 or later.
    PAN-157735
    Fixed an issue where the new PA-7000100G network processing card (NPC) took 25 minutes to start after rebooting the PA-7080 chassis.
    PAN-157721
    Fixed an issue where the firewall dropped GPRS tunneling protocol (GTPv2) Create Session Requests and Responses that had IEs 201 and 202 with the error
    Abnormal GTPv2-C message with invalid IE
    .
    PAN-157346
    Fixed an issue where HIP custom checks for plist failed when the HIP exclusion category were configured under (
    Mobile User Template > Network > GlobalProtect > Portal<portal-config> > Agent<agent-config> > HIP Data Collection
    ).
    PAN-157271
    Fixed an issue where
    Panorama > Cloud Services
     was visible to users with device group and template admin roles even if the admin role was disabled.
    PAN-156896
    (
    VM-Series firewalls only
    ) Fixed an issue where the firewall frequently stopped responding with the following log:
    CONFIG_UPDATE_INC : Incremental update to DP failed please try to commit force the latest config
    .
    PAN-156264
    Fixed an issue where the firewall displayed
    IP address
    Netmask
     and
    default gateway
     as
    unknown
     on the web interface as well as the CLI.
    PAN-156225
    (
    PA-3200 Series firewalls only
    ) Fixed an issue where the HA1-B port remained down after an upgrade from PAN-OS 9.1.4 to later 9.1 releases and from PAN-OS 10.0.0 to PAN-OS 10.0.4.
    PAN-155656
    Fixed an issue where multicast RTP traffic triggered unicast RTP Control Protocol (RTCP), and the predict session failed to install, which blocked the parent RTP session from forwarding packets.
    PAN-155147
    (
    VM-Series firewalls on Microsoft Azure that use accelerated networking interfaces with DPDK mode
    ) Fixed an issue where hot plug notifications caused traffic disruption.
    PAN-154557
    Fixed an issue that caused a process (useridd) core dump when parsing the Subject Alternative Name from a client certificate sent in the HIP report.
    PAN-154403
    Fixed an issue with HIP matching logic for missing patches where previous behavior indicated missing patches when no patches were missing.
    PAN-154376
    Fixed an issue where a process (mgmtsrvr) stopped responding and was inaccessible through SSH or HTTPS until the firewall was power cycled.
    PAN-154195
    Fixed an issue where the firewall dropped VoIP traffic over IPSec with counters
    flow_predict_convert_rtp_drop
     and
    flow_predict_convert_failed
    .
    PAN-153316
    CLI commands were added to address an issue where virtual memory on a process (configd) exceeded the new 32G limit.
    • To disable the virtual memory limit, use
      debug software disable-virt-limit
      .
    • To enable the virtual memory limit, use
      debug software enable-virt-limit
      .
    PAN-153286
    Fixed an issue on Panorama deployed on Amazon Web Services (AWS) where the Log Collector disk was on Admin disabled state when changing the instance type from m4 to m5.
    PAN-153213
    Fixed a rare issue where TCP packets randomly dropped due to reassembly failure.
    PAN-152497
    Fixed an issue where the firewall was unable to create a new GTP-U session when it received Create Session Response messages, which caused the following error message to display in the GTP log:
    GTPv1 message failed stateful inspection
    .
    PAN-152458
    (
    VM-Series firewalls on Microsoft Hyper-V only
    ) Fixed an issue where, when upgrading to PAN-OS 9.0.8 or later, ethernet packets dropped after adding VLAN tags during egress from a subinterface. To leverage this fix, set the interface level maximum transmission unit (MTU) to 1496 or less.
    PAN-152003
    Fixed an issue where an email client was unable to open an attached file due to removal of part of the file name encoded in UTF-8 by the firewall CTD function for SMTP and NAT sessions.
    PAN-151395
    Fixed an issue where the firewall repeatedly logged connection failures to a configured Log Collector.
    PAN-150298
    Fixed an issue where Android clients matched HIP objects configured for Apple products.
    PAN-150097
    Fixed an issue where hourly URL summary log generation failed.
    PAN-150023
    A fix was made to address an improper authentication vulnerability in PAN-OS that enabled a SAML authenticated attacker to impersonate any other user in the GlobalProtect portal and GlobalProtect gateway when they were configured to use SAML authentication (CVE-2021-3046).
    PAN-149501
    A fix was made to address a memory corruption vulnerability in the GlobalProtect Clientless VPN that enabled an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication (CVE-2021-3056).
    PAN-147792
    Fixed an issue where a process (configd) stopped responding due to a buffer overflow.
    PAN-147783
    Checks were added to help prevent the dataplane from restarting.
    PAN-144538
    Fixed an issue where locally disabling the rule hit-count feature on Panorama caused a memory leak.
    PAN-144470
    Fixed an issue where driver descriptor rings were out of sync in the control plane to dataplane direction, which caused internal path monitoring heartbeat failures.
    PAN-142818
    Fixed an issue where the management server restarted due to a telemetry buffer overflow that occurred when generated threat logs had specific signature flags set.
    PAN-142621
    Fixed an issue where the firewall was unable to log debug information in case of kernel panic.
    PAN-142473
    Fixed an issue where a commit failed with the following error message:
    Disk quotas add up to more than 100%. Invalid configuration.
     due to an integration issue.
    PAN-136347
    Fixed an issue wherer DNS proxy TCP connections were processed incorrectly, which caused a process (
    dnsproxy
    ) to stop responding.
    PAN-134799
    Fixed an issue where packets of the same session were forwarded through a different member of an Aggregate Ethernet (AE) group once the session was offloaded.
    PAN-120423
    Support was added for XML API for GlobalProtect logs.
    PAN-113795
    Fixed an issue on a firewall configured with GlobalProtect Clientless VPN where a process (
    all_pkts
    ) stopped responding, which caused the dataplane to restart.
    PAN-110429
    Fixed an issue with firewalls in a high availability configuration where multiple all_pktproc processes stopped responding due to missing heartbeats, which caused service outages.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.