PAN-OS 7.1.0 Addressed Issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.0 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1 .
Issue ID Description
93072 A security-related change was made to address an issue in the policy configuration dialog (PAN-SA-2016-0014).
92382 Fixed an issue where the firewall could not install PAN-OS or GlobalProtect agent software images on leap day (February 29). With this fix, the firewall can install these images regardless of the date.
92293 A security-related fix was made to address CVE-2016-1712 (PAN-SA-2016-0012).
91900 Fixed an issue where a Panorama validate operation followed by an FQDN refresh caused the validated configuration change to commit to the firewall.
91876 Fixed an issue where the passive firewall in a VM-Series ESXi configuration was processing and forwarding traffic.
91771 Fixed an issue where a firewall did not send TCP packets out during the transmit stage in the same order as those packets were received.
91728 A security-related fix was made to address a Denial of Service (DoS) condition related to the PAN-OS XML API (PAN-SA-2016-0008).
91653 Fixed an issue where SSL decryption did not work as expected for resumed sessions.
91533 Fixed an issue where a firewall failed a commit after receiving a File Blocking profile from Panorama that contained a space at the end of the profile name. This issue occurred when the managed firewall was running an older version of PAN-OS (when File Blocking and WildFire™ Analysis profiles were merged into one profile) and Panorama pushed the configuration to a device group.
91522 Fixed an issue where a cloned application name could not be edited after it was cloned from a Shared/Device Group location to a Shared location. With this fix, the cloned application names can be edited.
91336 Fixed an issue where the packet processor stopped responding when proxy packets were switched to the fast path group on the dataplane.
91307 Fixed an issue where SSL decryption sessions failed for secure websites that used a certificate issued by the Entrust.net Certification Authority (2048).
91234 Fixed an issue on PA-7000 Series firewalls where a session was modified while in a state that should not allow modification, which caused processes associated with the packet processing daemon to stop responding.
91075 Fixed an issue where the LSVPN tunnel interface started flapping after upgrading the firewall at one end of the tunnel (either the GlobalProtect gateway or satellite firewall) to a PAN-OS 7.0 or later release while the firewall at the other end of the tunnel was still running a PAN-OS 6.1 or earlier release. This issue occurred due to changes to encryption algorithm names when introducing Suite B ciphers in PAN-OS 7.0. With this fix, firewalls running PAN-OS 7.0.7 (or PAN-OS 7.1) or later releases successfully recognize the old names used in PAN-OS 6.1 and earlier releases so that LSVPN tunnels are established and stay up as expected.
91034 Fixed an issue on the WildFire platform where, if the snmp.log file is over 5MB, the snmpd process cleared the log file and restarted.
90982 Fixed an issue where upgrading from a PAN-OS 6.1 caused the GlobalProtect portal or gateway and SSL decryption processes to stop responding. This issue occurred because SSL/TLS Service Profiles (introduced in PAN-OS 7.0) were not created successfully if you did not enable multiple virtual system (multi-vsys) functionality on the firewall. With this fix, SSL/TLS Service profiles are now successfully created on non-multi-vsys platforms when upgrading to PAN-OS 7.1.0 and later releases.
90933 Fixed an issue where the firewall generated superfluous logs (for traffic that did not match the configured filters) after you enabled dataplane debugging.
90857 Fixed an issue with a passive peer in an HA configuration where the web interface did not allow you to configure dynamic updates.
90794 Fixed an issue where a log file (/var/log/wtmp) inflated and consumed the available disk space. With this fix, PAN-OS uses a log rotation function to prevent log files from consuming more disk space than necessary.
90742 Fixed an issue where you could not add WF-500 appliance signatures as exceptions in an Antivirus profile when the signature names contained more than 32 characters.
90635 A security-related fix was made to address a cross-site scripting condition in the Application Command Center (ACC) (PAN-SA-2016-0009).
90553 Fixed an issue where Data Filtering and WildFire Submission logs for non-NAT sessions contained incorrect or invalid NAT information.
90501 Fixed an issue where the firewall could not connect to a GlobalProtect portal or gateway after removing the LSVPN configuration.
90433 Fixed an issue where overrides of the default rules in the Shared policy took precedence over the overrides of default rules in a device group. With this fix, override precedence now behaves as designed (overrides of default rules in the lowest level device group take precedence over those settings in the higher level device groups and Shared).
90411 Fixed an issue where a global counter ( flow_dos_pf_noreplyneedfrag ) related to the suppress-icmp-needfrag Zone Protection profile displayed the action as drop even when configured to allow ICMP Fragmentation. This fix introduces a new global counter ( Unsuprressed ICMP Need Fragmentation ).
90260 Fixed an issue where a device administrator was unable to configure certain settings under Device > Setup > Operations.
90249 Fixed an issue where upgrading from a PAN-OS 6.1 or earlier release prevented administrators from overriding LDAP group mappings that were pushed from Panorama.
90141 Improved output of the command request batch license info on Panorama to include license expiration times.
90106 Fixed an issue where a process restarted unexpectedly due to the reuse of a process ID (PID). The PID was associated with an old SSH session that the firewall intended to terminate because the SSH session had timed out but was never closed properly, which inadvertently resulted in a restart of the process currently associated with that PID.
90070 Fixed an issue where a memory leak associated with the authentication process (authd) caused intermittent access and authentication issues.
89979 Fixed an issue where the Aggregate Ethernet (AE) interface port in virtual wire mode with link state pass through enabled came up after a commit even though its peer AE interface port was down. With this fix, the other AE interface port will come up after the commit and is then brought down in approximately 10 seconds. This causes both AE interfaces to stay down until the first AE interface recovers.
89910 Fixed an issue where all LLDP packets were sent with the source MAC address of the MGT interface instead of the dataplane interface from which they were transmitted. With this fix, LLDP packets are encapsulated with the source MAC address of the interface that transmitted the packet.
89906 Fixed an issue where non-superuser administrators were unable to see Exempt Profiles and the Security policy rules in which the profiles are used when viewing a Threat log ( Monitor > Logs > Threat > < Threat Name >).
89761 Fixed an issue where a scheduled log export failed to export the logs if the password in the configuration contained the dollar sign ("$") character.
89752 A security-related fix was made to address a buffer overflow condition.
89750 A security-related fix was made to address a stack underflow condition.
89743 Fixed an issue where commits failed due to processes (configd and mgmtsrvr) that stopped responding. This issue was caused by memory corruption related to the WildFire deployment schedule.
89723 Fixed an issue where IPSec tunnels using IKEv2 failed to establish a VPN if multiple remote gateways were behind a port address translation (PAT) setup. With this fix, the firewall can allow multiple devices behind PAT to set up security associations to the same IP gateway.
89717 A security-related fix was made to ensure the appropriate response to special requests received through the API interface.
89706 A security-related fix was made to prevent some CLI commands from improperly executing code.
89595 Fixed an issue where attempting to Hide Panorama background header ( Panorama > Setup > Operations > Custom Logos) resulted in an error ( Edit breaks config validity ).
89551 Fixed an issue where the User Activity Report did not show results for user names that contained German characters.
89503 Fixed an issue where user-group mappings were not properly populated into the dataplane after a firewall reboot.
89467 Fixed an issue with exporting a botnet report where exporting to CSV returned the Missing report job ID error.
89413 Fixed an issue where Panorama template commits failed when the names of several certificates in the Default Trusted Certificate Authorities list changed. This occurred when Panorama was running a PAN-OS 7.0 release and pushed a template to a firewall running a PAN-OS 6.1 or earlier release.
89342 Fixed a rare condition where the root partition on a firewall or appliance ran out of space during device state generation.
89296 Fixed an issue where a commit failed after renaming a Panorama shared object that was already referenced in the rules on a local firewall.
89284 Fixed a reporting issue on the ACC and SaaS Application Usage Report on managed firewalls. This issue occurred because the application information pushed from Panorama did not populate in a way or location that allowed the information to be used for reports generated on the firewalls.
89036 Fixed an issue where the delete user-file ssh known-hosts command was unavailable on an M-Series appliance in Log Collector mode.
88651 Fixed an issue where the User-ID (useridd) process stopped responding when the running-config was missing the port number associations for the Terminal Services (TS) Agent.
88585 Fixed an issue where DNS proxy rules didn't consistently match a domain name with the correct primary IP addresses. With this fix, matching logic favors results that do not include wildcards.
88561 Fixed an issue where the tunnel went down and began to renegotiate, causing traffic destined for the tunnel during that time to be dropped. This issue occurred when the configuration was pushed from Panorama to a firewall configured with IKEv2 preferred mode and that was connected to a firewall configured to use IKEv1 in an IPSec connection.
88450 Fixed an issue where Layer 3 interfaces without defined IP addresses, zones, or virtual routers dropped LLDP packets, which prevented the firewall from obtaining and displaying neighbor information.
88421 Fixed an issue where WildFire reports were generated for files already blocked by the Antivirus profile SMTP decoder.
88408 Fixed an issue where the show logging-status device command used in the XML API caused the log daemon to stop responding when the device attribute was omitted.
88346 Fixed an issue where a firewall was sending BGP packets with the wrong MD5 authentication value.
88327 Fixed an issue where several valid country codes were missing in the Certificate Attributes section when generating a certificate from the web interface.
88313 Fixed an issue where read-only device administrators were unable to view logs on the ACC tab.
88279 Fixed an issue where the debug dataplane packet-diag aggregate-logs command showed an incorrect target filename.
88225 Fixed an issue where the firewall could not register with the WildFire public cloud due to a problem with the log-cache size becoming too large. With this fix, a limitation mechanism is now in place to control the log-cache size.
88191 A security-related fix was made to address information leakage in system logs that impacted the web interface (PAN-SA-2016-0016).
88142 Fixed an issue with time calculation when displaying statistics for more than a single day ( Monitor > App Scope > Network Monitor) that caused data to be unexpectedly shifted (calculation used 12:00 A.M. GMT instead of local time and data was shifted accordingly). With this fix, graphs display data across multiple days as expected for the local time on the firewall.
88141 Fixed an issue on Panorama where an administrator with an access-domain name longer than 31 characters received the following error when logging in: Login could not be completed. Please contact the administrator. With this fix, administrators with access-domain names of up to 63 characters can log in.
88101 Fixed an issue where WildFire reports (web interface and PDF) were unable to display digital signer information.
87911 Fixed an issue where scheduled dynamic updates to managed firewalls stopped functioning after migrating the Panorama VM to an M-500.
87880 Fixed an issue where the XML API request to test Security policy was not properly targeted to a specified virtual system (vsys), which made the request applicable only to the default vsys. With this fix, the XML API request to test Security policy is able to retrieve results for any previously targeted vsys.
87871 Fixed an intermittent issue in an HA active/active configuration where packets passed through a virtual wire were dropped due to a race condition that occurred when the session owner and session setup were not on the same HA peer.
87870 Fixed an issue where an OSPF route with a lower administrative distance than the static route should become the preferred route but was not installed and used as expected; the firewall continued to use the static route instead.
87851 Fixed an issue where high rates of fragmented packets caused the firewall to experience a spike in packet buffer, descriptor, and CPU usage.
87727 Fixed an issue where a virtual system custom role administrator could not add user to IP mappings using the XML API.
87594 Fixed an issue on M-Series appliances that caused the show ntp CLI command to time out.
87482 A security-related change was made to management plane account restrictions to prevent service disruption.
87414 Fixed a cosmetic issue where the traffic log type was displayed in the severity column of the Log Forwarding profile.
87207 Fixed an issue where the User-ID process (useridd) stopped responding, which caused the firewall to reboot.
87144 Fixed an issue where a change of an object name was not propagated in some parts of the configuration where the object was referenced.
87094 Fixed an issue where committing a policy on Panorama that contained interfaces that were manually defined generated an error: [interface name] is not an allowed keyword .
87066 Fixed an issue on Panorama virtual appliances and on M-Series appliances in Panorama mode where two correlation engine sub-objects on the Web UI tab (Correlation Objects and Correlated Events) were incorrectly excluded when adding or modifying an Admin Role profile ( Template > Device > Admin Roles).
86979 Fixed an issue where an incomplete IPSec tunnel configuration (one without an IKE gateway specified) caused the firewall server process to stop responding.
86977 Fixed an issue where LDAP sessions on Panorama were kept open and not actively refreshed. With this fix, a keep-alive mechanism is added that is triggered after 15 minutes of session inactivity and that allows a maximum of 5 failed probes before dropping a connection (probes occur in 60-second intervals).
86944 Fixed an issue on Panorama where a commit to a device group caused the Panorama job to fail, but the job was successful on the managed device.
86725 Fixed an issue where the SSL Certificate Errors Notify Page did not display values of some variables (such as certname , issuer , and reason ) on web pages with expired certificates.
86717 Fixed an issue where QoS statistics for a specific interface were empty after a device reboot.
86686 Security-related fixes were made to address issues reported in the October 2015 NTP-4.2.8p4 Security Vulnerability Announcement.
86623 Fixed an issue where a firewall in an HA active/passive configuration dropped FTP PORT command packets after a failover.
86613 Fixed an issue where the General Settings dialog for Device > Setup > Management did not resize correctly when the Login Banner contained a large amount of text.
86488 Fixed an issue where predefined Application Usage Risk Trend graphs ( Monitor > Reports > PDF Summary Reports) did not display lines between contiguous dots as expected.
86395 Fixed an issue where the administrator could not manually type the Ethernet interface name in a NAT policy in Panorama.
86313 Fixed an issue where the failed to handle CONFIG_COMMIT error was displayed during a commit.
86202 Fixed an issue where the management plane stopped responding if you modified an object referenced in a large number of rules.
86189 Fixed an issue where the firewall did not send SNMPv3 traps that used an IPv6 server address.
86122 Fixed an issue where an LACP Aggregate Ethernet (AE) interface using SFP copper ports remained down after a dataplane restart.
85961 Fixed an issue that occurred when using the Panorama template stack where the configuration (gear) icon displayed in the wrong location (next to Panorama servers in the template stack).
85882 Fixed an issue where improperly formatted API calls to Panorama caused one of the system daemons to stop responding.
85602 Enhanced logging for events where long CLI system commands would timeout. For example, when generating a tech-support file.
85426 Fixed a cosmetic issue where the log action for the interzone-default Security policy rule was incorrect in session detail ( session to be logged at end ) when the default log action was overridden by the user.
85344 Fixed an issue where scheduled dynamic update installation caused the HA link to flap.
85320 Fixed an issue where a process (cryptod) stopped responding when attempting to use SSH to access a firewall that rebooted into maintenance mode after the master key was allowed to expire. With this fix, administrators can use SSH to access the firewall without causing the cryptod process to fail even after a firewall reboots to maintenance mode after the master key expires.
85265 Fixed an issue in the XML API that prevented a read-only Superuser from downloading custom packet captures.
84997 Fixed an issue on PA-7000 Series firewalls where the first autocommit attempt failed.
84911 Fixed an issue where an error was displayed when saving the NFS partition configuration on a Panorama virtual appliance.
84695 Fixed an issue where GlobalProtect was not appropriately indicated on the interface tab when it is configured on a loopback interface.
84414 Fixed an issue on the PA-7050 firewall where after deleting a HIP log forwarding profile a false warning would appear during a commit.
84146 Fixed an issue in PAN-OS 7.0 releases where the source and destination field was no longer included as expected in error messages that were triggered when requests to delete address objects failed. With this fix, the source and destination information is again included in the error message.
84143 Enhancement made to allow administrators to include the application field and URL field in custom response pages.
84115 Fixed an issue where virtual system administrators (full access or read-only) were unable to access settings under the Network tab ( Panel for undefined not registered was displayed, instead).
84046 Fixed an issue where SSL decryption failed when a certificate was rejected due to a missing or empty basicConstraints extension. With this fix, an exception is added to allow a missing or empty basicConstraints extension for self-signed non-CA certificates, and the following behaviors will be applied to CAs with regard to basicConstraints extensions: If the CA has an extension basicConstraints=CA:TRUE, then allow the CA. If the CA has an extension basicConstraints=CA:FALSE, then block the CA, but allow device-trusted CAs, including default CAs and imported CAs. If the CA has does not have a basicConstraints extension, then block the CA, but allow device-trusted CAs, including default CAs and imported CAs, and allow self-signed CAs.
84027 Fixed an issue where a firewall allowed some HTTP GET packets to pass through even when the URL Filtering profile was configured to block packets in this URL category.
83239 Fixed an issue where inbound SSL decryption did not work as expected when you enabled SYN cookies.
83086 Fixed an issue where the output of the show dos-protection <zone-name> blocked source command didn't display the correct data for the requested zone.
82918 Fixed an issue where re-entering an LDAP bind password through the CLI using a hash value (instead of a regular password) was rejected for having too many characters.
82524 Fixed an issue where a custom report with Group By Source User option did not include all data when the Source User field was empty.
82493 Fixed an issue so that the firewall performs NAT translations on IP addresses in an SCCP packet by doing a second NAT policy lookup instead of using a NAT policy for the current session.
82322 Added an enhancement to the PAN-OS routing engine for BGP routing protocol to remove a varying AS number preceded by a static AS number in the AS_PATH attribute.
82106 Fixed an issue where repetitive logging of inconsequential debug messages caused the snmpd.log file to reach its maximum file size and prevent further logging. With this fix, these inconsequential debug messages are no longer written to the log file.
80953 Fixed an issue where packets were not adhering to the virtual wire forwarding path, which caused MAC address flapping on neighboring devices. This occurred on a firewall in HA active/active virtual wire mode.
80750 Fixed an issue where you could not select a template stack or a descendant device group defined in a device group hierarchy on Panorama when specifying the device group and template for the VM-Series NSX edition firewall.
80336 Fixed an issue where Panorama custom report filenames that included a period (".") character resulted in empty reports. With this fix, reports are generated as expected for custom report filenames that include a period so long as the period is not the first character in the filename.
77273 Fixed an issue where importing a certificate with the same subject name as an existing certificate failed. With this fix, you can import a certificate that uses the same subject name as an existing certificate.
64717 Fixed an issue where an HA configuration did not correctly synchronize between firewalls when configured on Panorama and pushed to the firewalls.
42851 Fixed a performance issue with commit requests related to IKE configuration parsing. Also fixed cosmetic IKE validation messages displayed during the commit process, such as during a commit when the IKE gateway configuration was binded to an interface without an IP address. With this fix, the correct error message is displayed ( IKE gateway <gw-name> used local interface <interface> which has no IP address. Configuration is invalid. )

Related Documentation