PAN-OS 7.1.12 Addressed Issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.12 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Starting with PAN-OS 7.1.5, all unresolved known issues and any newly addressed issues in these release notes are identified using new issue ID numbers that include a product-specific prefix. Issues addressed in earlier releases and any associated known issue descriptions continue to use their original issue ID.
Issue ID Description
PAN-81951 Fixed an issue where errors associated with a Commit > Commit All Changes operation also caused FQDN refresh operations to fail on the firewall. With this fix, commit failures don't cause FQDN refresh failures.
PAN-81287 Fixed an issue where a firewall in FIPS/CC mode intermittently switched to maintenance mode.
PAN-80433 Fixed an issue where Panorama did not display IP addresses for NSX dynamic address groups even when the VM-Series NSX edition firewall and NSX manager displayed the IP addresses.
PAN-80155 Fixed an issue where firewalls that were deployed in an active/passive high availability (HA) configuration and that acted as DHCP relay agents used physical MAC addresses instead of HA virtual MAC addresses for DHCP packets.
PAN-80122 A security-related fix was made to address a vulnerability that allowed XML External Entity (XXE) attacks on the GlobalProtect external interface because PAN-OS did not properly parse XML input (CVE-2017-9458).
PAN-79844 Fixed an issue on Panorama where scheduled custom reports returned no data.
PAN-79804 Fixed an issue where VM-Series firewalls for VMware NSX did not register on Panorama if they belonged to a device group that contained applications from a content release version that was newer than the version included with the PAN-OS software image for fresh installations.
PAN-79555 Fixed an issue on VM-Series firewalls on Azure where dataplane interfaces did not come up as expected because they did not successfully negotiate Layer 2 settings during bootup.
PAN-79174 Fixed an issue where commits took longer to complete than expected on firewalls with hundreds of policy rules that referenced application filters or application groups that specified thousands of applications.
PAN-78854 Fixed an issue where a firewall dropped sessions for sites that used the supported AES-256-GCM cipher when you configured SSL Forward Proxy Decryption and defined a Decryption profile that blocked sessions using unsupported ciphers ( Objects > Decryption Profile > <decryption_profile> > SSL Forward Proxy).
PAN-78770 Fixed an issue on PA-500 firewalls in a high availability (HA) configuration where the HA1 interface went down due to a missed HA1 heartbeat.
PAN-78385 Fixed an issue where a Panorama management server running PAN-OS 8.0 did not display logs that were related to VPN tunnels or authentication and that were collected from PA-7000 Series firewalls running PAN-OS 7.1 or an earlier release.
PAN-78044 Fixed an issue where the firewall dropped packets that were destined for IP address FD00::/8 when you configured a Zone Protection profile with a Strict IP Address Check ( Network > Network Profiles > Zone Protection > Packet Based Attack Protection > IP Drop). With this fix, FD00::/8 is no longer a reserved IP address.
PAN-77866 Fixed an issue where the authentication process (authd) stopped responding if a third-party device blocked the transmission of authentication packets between the firewall and an LDAP server. With this fix, authentication fails without authd becoming unresponsive if a third-party device blocks LDAP authentication packets.
PAN-77747 Fixed an issue where a firewall with ECMP enabled on a virtual router ( Network > Virtual Routers > Router Settings > ECMP) did not load balance the traffic among egress interfaces when the traffic originated from another virtual router.
PAN-77652 Fixed an issue on PA-7000 Series firewalls where the mprelay process stopped responding due to a memory leak on the control plane.
PAN-77645 Fixed an issue where Dedicated Log Collectors did not forward logs to a syslog server over TCP.
PAN-77520 Fixed an issue on PA-7000 Series firewalls with AMC hard drives, model ST1000NX0423, where the firewalls rebuilt Disk Pair B in the LPC card after a reboot.
PAN-77062 Fixed an issue where administrators with a custom role could not delete packet captures.
PAN-76997 Fixed an issue on the PA-3020 firewall where SSL connections failed due to memory allocation issues if you configured a Decryption profile with Key Exchange Algorithms that included ECDHE ( Objects > Decryption Profile > <decryption_profile> > SSL Protocol Settings).
PAN-76831 Fixed an issue on PA-7000 Series firewalls where committing configuration changes caused the management server to stop responding and made the web interface and CLI inaccessible.
PAN-76830 Fixed an issue on PA-5000 Series firewalls where insufficient memory allocation caused SSL decryption errors that resulted in SSL session failures, and the firewall displayed the reason in Traffic logs as decrypt-error or decrypt-cert-validation .
PAN-76160 Fixed an issue where a memory leak caused the firewall to create hundreds of LDAP connections, which resulted in commit failures.
PAN-76155 Fixed an issue where the logs for the VM Monitoring Agent did not indicate the reason for events that caused the agent to exit. With this fix, the agent logs display debug-level details when the agent exits.
PAN-76130 A security-related fix was made to address OpenSSL vulnerabilities relating to the Network Time Protocol (NTP) library (CVE-2016-9042/CVE-2017-6460).
PAN-76019 Fixed an issue where the dataplane restarted because the firewall used incorrect zone identifiers for deleting flows when untagged subinterfaces had parent interfaces with no zone assignment.
PAN-76003 A security-related fix was made to prevent cross-site scripting (XSS) attacks through the GlobalProtect external interface (CVE-2017-12416).
PAN-75724 Fixed an issue where the PAN-OS integrated User-ID agent allowed weak ciphers for SSL/TLS connections. With this fix, the User-ID agent allows only the following ciphers for SSL/TLS connections: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 DHE-RSA-AES256-SHA256 DHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA256 AES256-SHA AES128-SHA256 AES128-SHA
PAN-75571 Fixed an issue where the web interface did not display the full list of IPSec tunnels ( Network > IPSec Tunnels) after upgrading the firewall to PAN-OS 7.1.7.
PAN-75371 Fixed an issue where firewalls configured to perform destination NAT misidentified applications after incorrectly adding the public IP addresses of destination servers to the App-ID cache.
PAN-75337 Fixed an issue where CPU usage spiked on the firewall during Diffie-Hellman (DHE) or elliptical curve Diffie-Hellman (ECDHE) key exchange for SSL decryption. With this fix, the firewall has enhanced performance for DHE and ECDHE key exchange.
PAN-75132 Fixed an issue where certificates created locally on the firewall had duplicate serial numbers because the firewall did not check the serial numbers of existing certificates signed by the same CA when generating new certificates.
PAN-74880 Fixed an issue where retrieving threat packet captures took longer than expected through the web interface ( Monitor > Logs > Threat) or PAN-OS XML API.
PAN-74369 Fixed an issue where modifying the BFD profile in a virtual router ( Network > Virtual Routers) caused the routed process to stop responding.
PAN-74366 Fixed an issue on the firewall and Panorama where the management server (mgmtserver) process restarted after you tried to filter a Policies > <policy_type> list based on specific strings such as 00 or 000 .
PAN-74110 Fixed an issue where administrators could not log in to the firewall using LDAP credentials after a PAN-OS upgrade.
PAN-74067 Fixed an issue in large-scale deployments where the User-ID process (useridd) stopped responding due to a loop condition because firewalls configured as User-ID agents repeatedly redistributed the same IP address-to-username mappings.
PAN-73919 Fixed an issue where you could not use the web interface or CLI to configure a multicast IP address as the Source or Destination in packet filters ( Monitor > Packet Capture).
PAN-73711 Fixed an issue where firewalls configured as DHCP clients did not receive IP addresses from the DHCP server because the firewalls did not set the gateway IP address (giaddr) value to zero in DHCP client reply messages.
PAN-73270 Fixed an issue where the firewall rebooted if a Syslog Parse profile with the Type set to Regex Identifier ( Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Syslog Filters) matched a null character in a syslog message.
PAN-72831 Fixed an issue where rebooting the firewall caused it to generate a false critical alarm that indicated LDAP servers were down.
PAN-72334 Fixed an issue where firewalls did not resume forwarding logs to Log Collectors after Panorama management servers in a high availability (HA) configuration recovered from a split-brain condition.
PAN-71615 Fixed an issue where an intrazone block rule shadowed a universal rule that had different source and destination zones.
PAN-71612 Fixed an issue where the logs that the firewall forwarded to a syslog server had syslog header timestamps that did not match the times when the firewall generated the logs.
PAN-71392 Fixed an issue where the firewall did not connect to a SCEP server if the SCEP service route used a loopback interface as the Source Interface ( Device > Setup > Services > Service Route Configuration).
PAN-71226 Fixed an issue where the firewall dataplane restarted because packet processing processes stopped responding for HTTP traffic involving URL percent-encoding.
PAN-71192 Fixed an issue where performing a log query or log export with a specific number of logs caused the management server to stop responding. This occurred only when the number of logs was a multiple of 64 plus 63. For example, 128 is a multiple of 64 and if you add 63 to 128 that equals 191 logs. In this case, if you performed a log query or export and there were 191 logs, the management server stopped responding.
PAN-69014 Fixed an issue where the Panorama management server did not display the logs collected from PA-7000 Series firewalls that were assigned to a device group that was the child of the Device Group selected on the Monitor tab of the web interface.
PAN-68658 Fixed an issue where handling out-of-order TCP FIN packets resulted in dropped packets due to TCP reassembly that was out-of-sync.
PAN-68580 Fixed an issue where VM-Series firewalls in a high availability (HA) configuration displayed the wrong link state after a link-monitoring failure.
PAN-68363 Fixed an issue where logs exported in CSV format had columns that were not aligned correctly.
PAN-66719 Fixed an issue where, when the session synchronization rate was very high, firewalls in a high availability (HA) configuration dropped Backup keep-alive messages, which caused flapping on the HA2 interface.
PAN-66552 Fixed an issue where the firewall web interface referred to external dynamic lists (EDLs) as block lists in the Destination Address drop-down of policy rules ( Policies > <policy_type> > <rule> > Destination). With this fix, the Destination Address lists EDLs under the External Dynamic List header.
PAN-63528 Fixed an issue on the VM-Series firewall on Hyper-V where VLAN trunking did not enable the firewall to process traffic on multiple subinterfaces using VLAN tags.
PAN-63333 Fixed an issue where adding more OSPF areas to a virtual router that had no neighbors ( Network > Virtual Routers > <virtual_router_configuration> > OSPF > Areas) caused BFD sessions to flap on connections to existing OSPF neighbors.
PAN-61813 Fixed an issue on Panorama where a custom scheduled report configured for a device group was empty when exported.
PAN-60863 Fixed an issue where a switch connected to firewalls in an active/passive high availability (HA) configuration stopped learning MAC addresses after HA failover.
PAN-60535 Fixed an issue on PA-7000 Series firewalls where NPC slots went down due to missing hearbeats.
PAN-59895 Fixed an issue where firewalls in an active/active high availability (HA) configuration did not perform an autocommit after rebooting (such as after a PAN-OS upgrade), which prevented the firewalls from applying policies.
PAN-57667 Fixed an issue where Panorama stopped the report generation process at 80% for a SaaS Application Usage report for a Device Group that had a space in its name ( Panorama > Monitor > PDF Reports > SaaS Application Usage).
PAN-56041 Fixed an issue on firewalls with an IPv6 configuration where the mprelay process stopped responding.
PAN-50081 Fixed an issue where CPU utilization stayed at 100% on the dataplanes of firewalls in an active/active high availability (HA) configuration when the firewalls had multiple virtual systems, used SSL Forward Proxy Decryption, and connected to third-party Layer 3 devices.
PAN-49363 Fixed an issue where an SNMP walk operation on an SNMP manager displayed a discrepancy between the number of interfaces and interface descriptions because the firewall did not decrease the number of SNMP interface indexes after you removed logical interfaces from the configuration.

Related Documentation