PAN-OS 7.1.4 Addressed Issues
The following table lists the issues that are addressed in the PAN-OS® 7.1.4 release. For new features, associated software versions, known issues, and changes in default behavior, see PAN-OS 7.1 Release Information. Before you upgrade or downgrade to this release, review the information in Upgrade to PAN-OS 7.1.
Issue ID Description
99996 Fixed an issue where the GlobalProtect agent was unable to retrieve an SCEP-issued user certificate because the firewall sent an invalid response to the agent, which caused the agent to stop responding. With this fix, the firewall sends responses that can be handled by the agent.
PAN-59258 98112 Fixed an issue on firewalls in an HA active/active configuration where session timeouts for some traffic were unexpectedly refreshed after a commit or HA sync attempt. However, in PAN-OS 7.1.4, this issue is fixed only for an HA pair where both peers are running a PAN-OS 7.1 release; this issue is not fixed in a configuration where one firewall is running a PAN-OS 7.1 release and the other is running a PAN-OS 7.0 or earlier release.
98164 Fixed an issue on firewalls where, if you deleted the proxy server configuration for the AutoFocus service, the configuration remained.
97763 Fixed an issue where a PA-200 firewall failed to download a PAN-OS software update due to an incorrect disk space calculation.
97734 Fixed an issue where the GlobalProtect pre-logon VPN failed to establish because the firewall prepended the domain name to pre-logon user.
97689 Fixed an issue where firewalls stopped responding because dynamic IPSec peers sent X509_SUBJECT in the Internet Key Exchange (IKE) payload during Phase 1 negotiation.
97625 Fixed an issue on VM-Series firewalls running on Amazon Web Services (AWS) where a process (devsrvr) stopped responding after activating the BrightCloud URL filtering license.
97583 Fixed an issue where, with SSL Forward Proxy Decryption enabled, the firewall displayed an expired certificate error page to end users even though the certificate chain was valid because there was an expired certificate on the firewall that was not part of the chain. With this fix, the firewall does not display the misleading error page.
97571 Fixed an issue where reusing previous port information (tcp-reuse) for new sessions caused traffic in those sessions to be dropped.
97549 Fixed an issue on PA-7000 Series firewalls where the system log message Syslog connection failed to server appeared repeatedly on the passive firewall of an active/passive pair when the error condition was not present. With this fix, the firewall does not display the log message under incorrect conditions.
97466 Fixed an issue where a TCP reassembly failure for a reused TCP session prevented users from accessing Windows Server 2012 sites and applications.
97424 Fixed an issue where firewalls delayed SSL traffic when unable to resolve the URL category because the Server Certificate Hostname contained a colon character that the firewall interpreted as a delimiter for a port number.
97357 Fixed an issue where a process (l3svc) stopped responding while processing captive portal requests that did not have query arguments.
97247 Fixed an issue where a PA-200 firewall failed to download a content update due to disk space issues after a failed antivirus update installation. With this fix, the firewall will, as part of the update installation process, clean up all temporary files even if the update installation fails.
97160 Fixed an issue where a firewall failed to upgrade to a PAN-OS 7.1 release—or where a firewall running a PAN-OS 7.1 release failed to update to a new content release version—and started rebooting repeatedly. This issue occurred when the firewall configuration included an application risk override and the update or upgrade changed that overridden application to a container ( <application>-base ). With this fix, the upgrade or update is successful even if an update or upgrade changes an overridden application to a container.
97113 Fixed an issue where a filter ( url contains ) failed to return results from the URL filtering logs if it contained a generic domain like com or org . With this fix, filters such as nytimes.com and nytimes will return equivalent results.
97099 Fixed an issue where, after importing the configuration from a Panorama M-100 appliance to a Panorama M-500 appliance, you could not select the existing security profiles and log-forwarding profiles.
97063 Fixed an issue where User ID group mapping stopped working due to a race condition.
96937 Fixed an issue where Panorama could not sync to the NSX manager after a reboot or a failover, which caused a service outage. With this fix, sync works as expected.
96757 Fixed an issue on Panorama where an administrator lost access after trying to commit a Security policy rule that contained an empty address group.
96679 Fixed an issue where the active-secondary firewall of an HA active/active pair displayed the error message 502 Bad gateway instead of an expected URL override page to end users.
96422 Fixed an issue where a Panorama administrator with custom rights configuration could not access the commit window because the window flashed and disappeared after the administrator clicked the Commit button. With this fix, when an administrator does not have privileges to access a commit function, Panorama displays an error message that indicates access is denied.
96415 Fixed an issue where the firewall failed to pass traffic in strongSwan and Azure IPSec tunnels while using IKEv2 because it did not send a Delete payload during a Phase 2 Child SA re-keying. With this fix, the firewall correctly sends a Delete payload during re-keying if it is the node that initiated the re-keying.
96402 Fixed an issue where a newly active firewall in an HA active/passive pair lost the ability to send TCP SYN messages to its BGP peers, which resulted in dropped traffic.
96184 Fixed an issue where the firewall stopped forwarding logs and discarded logs even when incoming logging rate was low. With this fix, the processing of logs is optimized to improve pre-matching results, and CPU load is reduced to prevent the queue from becoming full and discarding logs.
96155 Fixed an issue on VM-Series firewalls where the passive firewall interface in an HA pair went down, even with Passive Link State set to auto in the HA configuration.
96082 Fixed an issue where the firewall responded to Microsoft network load balancing (MS-NLB) multicast packets by incorrectly sending the multicast address as the source address.
95978 Fixed an issue where firewall did not send all of the supported algorithms in the signature algorithm extension of client hello when negotiating connections with some SSL sites accessed from version 50 of the Chrome browser, which caused those connection attempts to fail.
95864 Fixed an issue where the GlobalProtect portal did not negotiate encryption algorithms correctly, which caused errors on recent releases of browsers with newly available stricter checking enabled. After this fix, the portal negotiates the correct algorithms to eliminate browser errors.
95846 Fixed an issue where deleting the default administrator account on the VM-Series firewall in AWS caused the firewall to go into maintenance mode. This occurred because the firewall, to reboot successfully, required the SSH key associated with the administrator account (the private key— ssh-key —used to provision the firewall in AWS). With this fix, as long as you first create another superuser account on the firewall, you can delete the default administrator account and the firewall will reboot successfully.
95797 Fixed an issue on Panorama where, if you selected Group HA Peers , previously selected individual firewalls became unselected, leaving only the most recently selected firewalls as part of the grouping configuration.
95723 Fixed an issue where authentication failed when you used secure encrypted cookies if you configured the GlobalProtect portal or gateway to authenticate using an authentication sequence and then specified a domain\user in the User/User Group settings of the agent configuration.
95622 Security-related fixes were made to address issues identified in the May 3, 2016 OpenSSL security advisory (PAN-SA-2016-0020).
95604 Fixed an issue where firewalls configured with OSPFv3 adjacency and AH authentication header profiles failed to establish full adjacency because the fragmented OSPFv3 packets failed the AH authentication check.
95591 Fixed an issue where management server would crash due to excessive printing of debug messages caused by a large number of FQDN requests.
95568 Fixed an issue where configuration commits on firewalls failed because improper handling of temporary files related to HA sync for registered IP addresses consumed all available space in the target (pancfg) disk partition. With this fix the firewall eventually deletes temporary files so they don't accumulate and consume disk space.
95466 Fixed an issue where Panorama displayed a false commit warning that indicated a WildFire scheduled update time overlapped with content updates (Applications, Threats, and Antivirus). With this fix, PAN-OS correctly interprets the WildFire schedule update time and prevents false commit warnings when scheduled update times do not overlap.
95039 Fixed an issue on VM-Series firewalls where traffic processing slowed down for two to three minutes after firewall received a burst of packets on the HA2 data link.
94922 Fixed an issue where emails configured to use the per-virtual system (vsys) SMTP service route were sent using the global SMTP service route settings. With this fix, emails use the configured virtual system SMTP service route.
94820 Fixed an issue on Panorama where the Adjust Columns option in Panorama > Device Groups did not adjust columns properly and caused fields to disappear from view.
94615 Fixed an issue on PA-7000 Series firewalls where the designated Log Card interface did not transmit a gratuitous ARP upon failover, which caused connectivity issues with neighboring devices.
94582 Fixed an issue where, after you changed the application risk value to a non-default value, the web interface displayed the default value and you could only see the configured value by selecting the application and viewing it manually. With this fix, the firewall displays the configured value in the interface.
94372 Fixed an issue where the firewall truncated user-group names when the name exceeded 150 characters. With this fix, the firewall preserves the complete group name even if the user-group name exceeds 150 characters, up to a maximum of 255 characters.
94368 Fixed an issue where, if you configured an external dynamic lists file with comments indicated by forward slashes (//), the firewall failed to load the file.
94166 Fixed an issue where, if you configured a NetFlow profile under a virtual system (vsys), you could not assign the NetFlow profile to a sub-interface part of same vsys.
93921 Fixed an issue where commits on Panorama failed because a process (cord) stopped responding.
93909 Fixed an issue where, if the antivirus and anti-spyware definition files for an application were not present, the firewall validated host information profile (HIP) reports with invalid dates.
93540 Fixed an issue where the read-only superuser could not export a threat packet capture (pcap) file from the web interface, which displayed a File not found message.
93243 Fixed an issue where a Security policy rule pushed from Panorama could not be cloned locally on the firewall.
92762 Fixed an issue where, regardless of the configured metric, OSPF preferred Type 2 external metrics over Type 1 external metrics.
92701 Fixed an issue where Panorama displayed an unauthorized request message to a device group and template administrator when the administrator attempted to view shared device group policies.
92621 Fixed an issue where forwarded threat logs used inconsistent formatting between the Request field and the PanOSReferer field. With this fix, the PanOSReferer field uses double quotes for consistency with the Request field.
92527 Fixed an issue where SSL Inbound Inspection caused a packet buffer leak, leading to degraded performance.
92523 Fixed an issue where, for firewalls in an HA active/active configuration, the predict session for an Oracle redirect that synchronized to the peer device became stuck in the Opening State because the parent session was not installed on the peer device. With this fix, the firewall ensures the parent session is installed on the peer device and the predict session for the Oracle redirect transitions to active state to allow for successful Oracle client-to-server communication.
92472 Fixed an issue where, during the connection of a satellite to the GlobalProtect gateway, the Online Certificate Status Protocol (OCSP) verification for the GlobalProtect certificate failed because the OCSP response did not contain the signature certificate.
92367 Fixed an issue on Panorama where you could not filter by device group when in the firewall device context.
92106 A security-related fix was made to address multiple NTP vulnerabilities (PAN-SA-2016-0019).
92008 Fixed an issue where, if you used SNMP to check the status of a tunnel interface, the firewall provided incorrect information.
91886 A security-related fix was made to address CVE-2015-7547 (PAN-SA-2016-0021).
91885 Fixed an issue where the log filter you can create by clicking a value in the Destination Country or Source Country column did not work when you chose a country name because the filter string used the country name instead of the country code.
91767 Fixed an issue where adding objects such as tags to Panorama using the XML API resulted in those objects not being visible under Policies, Addresses, or Services.
91492 Fixed an issue where SSL decryption on firewalls failed when the server presented a certificate chain that did not have the expected extension in the root certificate even though the firewall had the correct root certificate in its default trusted CA store.
91474 Fixed an issue that prevented a firewall in Common Criteria Evaluation Assurance Level 4 (EAL4) mode from connecting to Panorama HA pair units in Common Criteria (CC) mode.
91078 Fixed an issue where the Reject Default Route configuration did not work for OSPFv3, which resulted in network outages.
90992 Fixed an intermittent issue where the initial GlobalProtect client connection to a GlobalProtect portal or gateway failed with the error: Valid client certificate is required . This occurred when the certificate profile used CRL/OCSP to check certificate validity and was due to a problem with the certificate not being available in the dataplane cache. Subsequent connections worked because the certificate was added to the cache during the initial connection attempt.
90777 Fixed an issue where the firewall failed to make the CLI configuration set authentication radius-vsa-on client-source-ip persistent across system restart.
90677 Fixed an issue where the flow management (flow_mgmt) process stopped responding, which caused the dataplane to restart.
89891 Fixed an issue where Threat logs forwarded from the firewall had an extra colon when using TCP for the transport protocol. With this fix, the format of forwarded logs over TCP and UDP is consistent.
88696 Fixed an issue where, under certain conditions, a process (mpreplay) frequently restarted due to excessive internal messaging.
87032 Fixed an issue where firewalls and appliances running Panorama 7.0 or later releases failed to display or download reports received from firewalls running PAN-OS 6.1 or earlier releases.
86916 Fixed an issue where traffic bursts entering a PA-3000 Series firewall caused short-term packet loss even though the overall dataplane utilization remained low. This issue was typically observed when two firewall interfaces on the same firewall were connected to each other. With this fix, internal thresholds were modified to prevent packet loss in these conditions.
85878 In response to an issue where DNS queries sometimes caused a Log Collector to run too slowly and caused delays in log processing, the debug management-server report-namelookup disable CLI command is added to disable DNS lookups for reporting purposes.
85484 Fixed an intermittent issue where the GlobalProtect portal used the cookie instead of the authentication information provided by the GlobalProtect client, which caused authentication to fail. With this fix, if a client connects using a cookie, the GlobalProtect portal ignores the cookie in favor of the authentication information provided by the GlobalProtect client so that authentication is successful.
85361 Fixed an issue where, if you used the CLI to input more than 126 addresses in an address group or 126 URLs in an allow-list, the firewall did not apply the configuration.
85160 Fixed an issue where a firewall lost members of a domain group after a failover from the primary to the secondary LDAP server when the last modified timestamp for the group was not the same on both servers.
84949 Fixed an issue where M-100 appliances in an HA active/active configuration forwarded logs only to one syslog server even though two syslog servers were defined. This issue occurred only on the primary-secondary appliance and was due to an HA sync issue.
84711 Fixed an intermittent issue where some packets incorrectly matched Security policy rules, which resulted in App-ID™ policy lookup errors and discarding of packets.
84496 Fixed an issue on PA-7000 Series firewalls where excessive or prolonged log queries caused a memory leak on the Log Processing Card (LPC).
84373 Fixed an issue where Panorama generated an error when a WildFire update was installed even though the download and install were successful.
84046 Fixed an issue where SSL decryption failed when a certificate was rejected due to a missing or empty basicConstraints extension. With this fix, an exception is added to allow a missing or empty basicConstraints extension for self-signed non-CA certificates, and the following behaviors will be applied to CAs with regard to basicConstraints extensions: If the CA has an extension basicConstraints=CA:TRUE, then allow the CA. If the CA has an extension basicConstraints=CA:FALSE, then block the CA, but allow device-trusted CAs, including default CAs and imported CAs. If the CA has does not have a basicConstraints extension, then block the CA, but allow device-trusted CAs, including default CAs and imported CAs, and allow self-signed CAs.
82138 Fixed an issue where WildFire reports were not displayed on the web interface when proxy settings were configured for the management interface.
80628 Fixed an issue where WildFire content updates showed timestamps with future dates.
77822 Fixed an issue where a VM-Series NSX edition firewall sent Dynamic Address Group information only to the primary virtual system (VSYS1) on the integrated physical firewall at the data center perimeter. With this fix, a VM-Series NSX edition firewall configured to Notify Device Group sends Dynamic Address Group updates to all virtual systems on a physical firewall running PAN-OS 7.0.8 or a later PAN-OS 7.0 release.
76197 Fixed an issue where firewall Traffic logs displayed unusually large byte counts for http-proxy and http-video counters due to frequent application shifts between those application-type packets within a single proxy session.

Related Documentation